A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
CVE-2019-14904 - Medium Severity Vulnerability
Vulnerable Libraries - ansible-2.2.3.0.tar.gz, ansible-2.5.4.tar.gz
ansible-2.2.3.0.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/ba/41/83e024cdf5ca3b53c14261f268da7512ca395b893cab98c0639f9644b6b7/ansible-2.2.3.0.tar.gz
Path to dependency file: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Path to vulnerable library: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s,yugabyte-db/managed/devops/python_requirements.txt
Dependency Hierarchy: - :x: **ansible-2.2.3.0.tar.gz** (Vulnerable Library)
ansible-2.5.4.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/6e/95/490f5e39ee7cc7956eecd070610f0a873b97781c9efdbf6098bad2ed3ee0/ansible-2.5.4.tar.gz
Path to dependency file: yugabyte-db/managed/devops/python3_requirements.txt
Path to vulnerable library: yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Dependency Hierarchy: - :x: **ansible-2.5.4.tar.gz** (Vulnerable Library)
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
Vulnerability Details
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
Publish Date: 2020-08-26
URL: CVE-2019-14904
CVSS 2 Score Details (6.1)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1776944
Fix Resolution: Upgrade to version ansible-engine 2.7.16, ansible-engine 2.8.8, ansible-engine 2.9.4 or greater