CVE-2019-14905: 
Ansible Tower vulnerability analysis and mitigation

A vulnerability was identified in Ansible Engine affecting versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier. The vulnerability exists in Ansible's nxos_file_copy module, which is used to copy files to flash or bootflash on NXOS devices. The issue was discovered by Abhijeet Kasurde from Red Hat and was assigned CVE-2019-14905 (CVE Mitre).

The vulnerability exists in the nxos_file_copy module where malicious code could craft the filename parameter to perform OS command injections. The issue specifically relates to how the remote_file parameter is handled when copying files to NXOS devices. The vulnerability was fixed in Ansible versions 2.9.3, 2.8.8, and 2.7.16 through a series of security patches (Red Hat Bugzilla).

If exploited, this vulnerability could result in OS command injection, potentially leading to a loss of confidentiality of the system. The severity of the vulnerability was rated as moderate according to Red Hat's security classification (Red Hat Advisory).

The vulnerability was addressed through security updates in multiple versions: Ansible Engine 2.9.3, 2.8.8, and 2.7.16. Users are advised to upgrade to these or later versions. There are no known workarounds for this issue; the only mitigation is to apply the security updates (Red Hat Bugzilla).