Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible
High severity
GitHub Reviewed
Published
Apr 20, 2021
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 2.7.0a1, < 2.7.16
>= 2.8.0a1, < 2.8.8
>= 2.9.0a1, < 2.9.3
Patched versions
2.7.16
2.8.8
2.9.3
Description
Published by the National Vulnerability Database
Mar 31, 2020
Reviewed
Apr 5, 2021
Published to the GitHub Advisory Database
Apr 20, 2021
Last updated
Nov 18, 2024
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
References