CVE-2020-1735

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Published: Mar 16, 2020
Updated: May 9, 2024
CVE: CVE-2020-1735
GHSA: GHSA-gfr2-qpxh-qj9m
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.6
AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.6
AV:L/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
redhat / cloudforms_management_engine	5.0	5.0.x
redhat / ansible_tower	-	3.3.4.x
redhat / ansible_tower	3.6.0	3.6.3.x
redhat / ansible_tower	3.5.0	3.5.5.x
redhat / ansible_tower	3.3.5	3.4.5.x
redhat / openstack	13	13.x
redhat / ansible	-	2.7.17
redhat / ansible	2.8.0	2.8.11
redhat / ansible	2.9.0	2.9.7
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
ansible	2.7.0	2.9.7

Vulnerability Database

CVE-2020-1735

Deep Security Visibility Without the Complexity