Ansible is vulnerable to OS command injection. The attack is possible because the module nxos_file_copy
does not validate the remote_file parameter and directly uses the filenames from the parameter to copy files to a flash or bootflash on NXOS devices, allowing an attacker to inject malicious command through it.
lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
access.redhat.com/errata/RHSA-2020:0216
access.redhat.com/errata/RHSA-2020:0218
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
github.com/ansible/ansible/commit/02572cb9ec94462261c035b33de506e4e505b3ca
github.com/ansible/ansible/pull/60643
lists.fedoraproject.org/archives/list/[email protected]/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/