Externally Controlled Reference to a Resource in Another Sphere

CVE-2019-14905

Medium

5.6/10

Summary

A vulnerability was found in Ansible Engine before 2.7.16, 2.9.x before 2.9.3 and 2.8.x before 2.8.8, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References

Advisory
Advisory
Pull request
Advisory

Advisory Timeline

Published Mar 31, 2020

Externally Controlled Reference to a Resource in Another Sphere

CVE-2019-14905

Summary

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS