7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14904

GHSA ID

GHSA-gwr8-5j83-483c

EPSS Score

0.13916%

CWE

CWE-20

Published

4/20/2021

Updated

9/6/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14904

CVE-2019-14904: OS Command Injection and Improper Input Validation in ansible

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14904

GHSA ID

GHSA-gwr8-5j83-483c

EPSS Score

0.13916%

CWE

CWE-20

Published

4/20/2021

Updated

9/6/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ansible	pip	>= 0, < 2.7.16	2.7.16
ansible	pip	>= 2.8.0a1, < 2.8.8	2.8.8
ansible	pip	>= 2.9.0a1, < 2.9.3	2.9.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in the solaris_zone module. The patch adds a regex validation check for the 'name' parameter in the SolarisZone.init method, confirming this was the missing safeguard. Prior to the fix, arbitrary zone names could include shell metacharacters, which were then passed to 'ps' commands (e.g., during zone status checks), leading to command injection. The init method is the logical point where input validation should occur, and its absence directly enabled the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in t** sol*ris_zon* mo*ul* *rom t** *nsi*l* *ommunity mo*ul*s. W**n s*ttin* t** n*m* *or t** zon* on t** Sol*ris *ost, t** zon* n*m* is ****k** *y listin* t** pro**ss wit* t** 'ps' **r* *omm*n* on t** r*mot* m***in*. *n *tt**k*r *oul

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in t** sol*ris_zon* mo*ul*. T** p*t** ***s * r***x v*li**tion ****k *or t** 'n*m*' p*r*m*t*r in t** Sol*risZon*.__init__ m*t*o*, *on*irmin* t*is w*s t** missin* s****u*r*. Prior to t** *ix, *r*it

7.3

Basic Information

Concerned about an active attack path?

CVE-2019-14904: OS Command Injection and Improper Input Validation in ansible

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI