MGASA-2020-0060

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0060.html

Import Source

https://advisories.mageia.org/MGASA-2020-0060.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0060

Related

Published

2020-01-28T07:52:40Z

Modified

2020-01-28T07:30:49Z

Summary

Updated ansible package fixes security vulnerabilities

Details

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host (CVE-2019-14904).

A vulnerability in Ansible's nxosfilecopy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues (CVE-2019-14905).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / ansible

Package

Name: ansible
Purl: pkg:rpm/mageia/ansible?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.16-1.mga7

Ecosystem specific

{
    "section": "core"
}