CVE-2019-14904
Command Injection vulnerability in ansible (PyPI)
What is CVE-2019-14904 About?
A command injection vulnerability exists in the Ansible Community `solaris_zone` module, allowing attackers to execute arbitrary commands by crafting a malicious zone name. The flaw arises because the module uses the `ps` command to check zone names, which can be manipulated to inject shell commands. Exploitation can be relatively easy for an authenticated attacker with permissions to manage Solaris zones.
Affected Software
- ansible
- >=2.8.0a1, <2.8.8
- <2.7.16
- <2.7.15
- >=2.9.0a1, <2.9.3
Technical Details
The solaris_zone module, when setting a zone name, performs a check by directly incorporating the user-supplied zone name into a shell command that executes ps on the remote Solaris host. An attacker can exploit this by crafting a zone name that includes shell metacharacters (e.g., ;, |, &&) to inject arbitrary commands. When the ps command is executed on the remote system, the injected commands will also be processed by the shell, leading to arbitrary command execution on the Solaris host.
What is the Impact of CVE-2019-14904?
Successful exploitation may allow attackers to execute arbitrary commands on the remote Solaris host, leading to full system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2019-14904?
Exploitation complexity is moderate, requiring knowledge of shell command injection techniques and the ability to supply input to the solaris_zone module. Authentication to the Ansible controller is required, and the user needs permissions to execute tasks on the target Solaris host using the solaris_zone module. This implies an authenticated remote attacker. No specialized privileges are needed on the target beyond what Ansible would typically use to manage zones. The risk is high when untrusted inputs can influence Ansible playbook variables for this module.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14904?
Available Upgrade Options
- ansible
- <2.7.15 → Upgrade to 2.7.15
- ansible
- <2.7.16 → Upgrade to 2.7.16
- ansible
- >=2.8.0a1, <2.8.8 → Upgrade to 2.8.8
- ansible
- >=2.9.0a1, <2.9.3 → Upgrade to 2.9.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/pull/65686
- https://github.com/ansible/ansible/commit/589a415f887b6f2bb65cd07fe6b2e9d0a8156b69
- https://osv.dev/vulnerability/GHSA-gwr8-5j83-483c
- https://osv.dev/vulnerability/PYSEC-2020-161
- https://nvd.nist.gov/vuln/detail/CVE-2019-14904
- https://bugzilla.redhat.com/show_bug.cgi?id=1776944
- https://www.debian.org/security/2021/dsa-4950
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://github.com/ansible/ansible
- https://bugzilla.redhat.com/show_bug.cgi?id=1776944
What are Similar Vulnerabilities to CVE-2019-14904?
Similar Vulnerabilities: CVE-2021-36260 , CVE-2021-41988 , CVE-2021-44758 , CVE-2022-41903 , CVE-2021-37599
