A vulnerability has been found in nxos_file_copy from Ansible module. Filenames are used to perform actions to copy files to a flash or bootflash on NXOS devices. However, nxos_file_copy takes remote_file parameter which is used for destination. Malicious code could crafts the filename parameter to take advantage by performing an OS command injection.
Name: Abhijeet Kasurde (Red Hat)
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1777693]
Affects: fedora-all [bug 1777692]
Affects: openstack-rdo [bug 1777691]
Adding Ganesh Nalawade who is fixing this issue.
PR fixed and merged to devel https://github.com/ansible/ansible/pull/65423
2.9 -> https://github.com/ansible/ansible/pull/65846
2.8 -> https://github.com/ansible/ansible/pull/65847
2.7 -> https://github.com/ansible/ansible/pull/65848
Gluster and Ceph no more maintains ansible, and the plan is to use from ansible repository. But we still ship ansible separately in ceph ubuntu.
Hi Red Hat Team.
Happy new year ^_^
Could you please recheck on 2.9.2 ?
We think Ansible 2.9.2 is also vulnerable. We checked the source files of 2.9.2 ; and the related commit  was not embedded.
Ansible 2.8.8 and 2.7.16 are not released yet  so we can't check.
CERT Orange Cyberdefense
Many thanks for the report. Indeed you are right, 2.9.2 it is still vulnerable. The fix was getting ready to fix on the 2.9.2 release. However, for some reason the PR was blocked. I updated and corrected that information and contacted the engineer if there is any estimations and technicalities regarding the fix.
Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own version of Ansible. Therefore this fix will be consumed directly from core Ansible.
There is no mitigation for this issue, the flaw can only be resolved by applying updates.