Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-111337
HistoryNov 27, 2019 - 12:00 a.m.

Ansible CVE-2019-14905 OS Command Injection Vulnerability

2019-11-2700:00:00
Symantec Security Response
www.symantec.com
12
JSON

Description

Ansible is prone to an OS command-injection vulnerability. An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks. Versions prior to Ansible 2.9.2, 2.8.8 and 2.7.16 are vulnerable.

Technologies Affected

  • AnsibleWorks ansible 2.6.0
  • AnsibleWorks ansible 2.6.10
  • AnsibleWorks ansible 2.6.11
  • AnsibleWorks ansible 2.6.13
  • AnsibleWorks ansible 2.6.14
  • AnsibleWorks ansible 2.6.19
  • AnsibleWorks ansible 2.6.5
  • AnsibleWorks ansible 2.6.6
  • AnsibleWorks ansible 2.6.7
  • AnsibleWorks ansible 2.6.8
  • AnsibleWorks ansible 2.6.9
  • AnsibleWorks ansible 2.7.0
  • AnsibleWorks ansible 2.7.1
  • AnsibleWorks ansible 2.7.13
  • AnsibleWorks ansible 2.7.15
  • AnsibleWorks ansible 2.7.2
  • AnsibleWorks ansible 2.7.3
  • AnsibleWorks ansible 2.7.4
  • AnsibleWorks ansible 2.7.5
  • AnsibleWorks ansible 2.7.7
  • AnsibleWorks ansible 2.7.8
  • AnsibleWorks ansible 2.8.0
  • AnsibleWorks ansible 2.8.1
  • AnsibleWorks ansible 2.8.2
  • AnsibleWorks ansible 2.8.4
  • AnsibleWorks ansible 2.8.7
  • AnsibleWorks ansible 2.9.1
  • Redhat Ansible Engine 2
  • Redhat Ansible Tower 3.0.0
  • Redhat Ceph Storage 2
  • Redhat Ceph Storage 3
  • Redhat CloudForms Management Engine 5.0
  • Redhat OpenStack Platform 10
  • Redhat OpenStack Platform 13
  • Redhat OpenStack Platform 14

Recommendations

Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn’t needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor the network for suspicious requests. This may help detect attacks that try to exploit this and similar vulnerabilities. Audit all applicable logs regularly

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Updates are available. Please see the references or vendor advisory for more information.

Related

osv 3
cve 1
redhatcve 1
prion 1
debiancve 1
veracode 1
github 1
ubuntucve 1
alpinelinux 1
fedora 2
redhat 4
mageia 1
nessus 9
openvas 4
suse 3
osv
osv
CVE-2019-14905
2020-03-31 17:15:26
Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible
2021-04-20 16:44:49
PYSEC-2020-206
2020-03-31 17:15:00
cve
cve
CVE-2019-14905
2020-03-31 17:15:00
redhatcve
redhatcve
CVE-2019-14905
2019-11-27 18:48:02
prion
prion
Command injection
2020-03-31 17:15:00
debiancve
debiancve
CVE-2019-14905
2020-03-31 17:15:00
veracode
veracode
OS Command Injection
2019-11-29 06:23:27
github
github
Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible
2021-04-20 16:44:49
ubuntucve
ubuntucve
CVE-2019-14905
2020-03-31 00:00:00
alpinelinux
alpinelinux
CVE-2019-14905
2020-03-31 17:15:00
fedora
fedora
[SECURITY] Fedora 31 Update: ansible-2.9.3-1.fc31
2020-01-31 02:03:49
[SECURITY] Fedora 30 Update: ansible-2.9.3-1.fc30
2020-01-31 01:14:23
redhat
redhat
(RHSA-2020:0215) Moderate: Ansible security and bug fix update (2.9.4)
2020-01-23 16:24:38
(RHSA-2020:0217) Moderate: Ansible security and bug fix update (2.7.16)
2020-01-23 16:26:02
(RHSA-2020:0218) Moderate: Ansible security and bug fix update (2.9.4)
2020-01-23 16:26:22
mageia
mageia
Updated ansible package fixes security vulnerabilities
2020-01-28 10:52:40
nessus
nessus
Fedora 31 : ansible (2020-caf7f7d0d9)
2020-01-31 00:00:00
RHEL 7 / 8 : Ansible security and bug fix update (2.9.4) (Moderate) (RHSA-2020:0218)
2020-01-27 00:00:00
RHEL 7 / 8 : Ansible security and bug fix update (2.9.4) (Moderate) (RHSA-2020:0215)
2020-01-27 00:00:00
openvas
openvas
Fedora: Security Advisory for ansible (FEDORA-2020-caf7f7d0d9)
2020-01-31 00:00:00
Mageia: Security Advisory (MGASA-2020-0060)
2022-01-28 00:00:00
Fedora: Security Advisory for ansible (FEDORA-2020-2bed89517f)
2020-01-31 00:00:00
suse
suse
Security update for ansible (moderate)
2020-04-16 00:00:00
Security update for ansible (moderate)
2020-04-13 00:00:00
Security update for ansible (important)
2022-03-16 00:00:00
JSON
Related for SMNTC-111337
osv3cve1redhatcve1prion1debiancve1veracode1github1ubuntucve1alpinelinux1fedora2redhat4mageia1nessus9openvas4suse3