CVE-2020-1734

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

Published: Mar 3, 2020
Updated: May 9, 2024
CVE: CVE-2020-1734
GHSA: GHSA-h39q-95q5-9jfp
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CVSS v2:

Severity: Low
Score: 3.7
AV:L/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
redhat / ansible_tower	3.4.5	3.4.5.x
redhat / ansible_tower	3.5.5	3.5.5.x
redhat / ansible_tower	3.6.3	3.6.3.x
redhat / ansible_engine	2.8.8	2.8.8.x
redhat / ansible_engine	2.9.5	2.9.5.x
redhat / ansible_engine	-	2.7.16.x
redhat / ansible_tower	-	3.3.4.x
ansible	-	2.10.x

https://access.redhat.com/errata/RHBA-2020:0547
https://access.redhat.com/errata/RHBA-2020:1539
https://access.redhat.com/security/cve/CVE-2020-1734
https://bugzilla.redhat.com/show_bug.cgi?id=1801804
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734
https://github.com/ansible/ansible/issues/67792

Vulnerability Database

289,689

CVE-2020-1734