CVE-2020-1738

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Published: Mar 16, 2020
Updated: May 9, 2024
CVE: CVE-2020-1738
GHSA: GHSA-f85h-23mf-2fwh
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.9
AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

CVSS v2:

Severity: Low
Score: 2.6
AV:L/AC:H/Au:N/C:N/I:P/A:P

CWEs:

CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
redhat / cloudforms_management_engine	5.0	5.0.x
redhat / ansible_tower	-	3.3.4.x
redhat / ansible_tower	3.6.0	3.6.3.x
redhat / ansible_tower	3.5.0	3.5.5.x
redhat / ansible_tower	3.3.5	3.4.5.x
redhat / ansible	2.9.0	2.9.5.x
redhat / ansible	-	2.7.16.x
redhat / ansible	2.8.0	2.8.8.x
redhat / openstack	13	13.x
ansible	-	2.9.19.x

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738
https://github.com/ansible/ansible/issues/67796
https://security.gentoo.org/glsa/202006-11

Vulnerability Database

289,599

CVE-2020-1738