← Back

CVE-2020-1738

nvd nist
Published: Mar 16, 2020Modified: Nov 21, 2024

JSON object

Loading...
3.9
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Exploitability: 0.8 / Impact: 2.7
Source: NVD

Description

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Affected (9)

Redhat
4 products
Ansible
Ansible Tower
Cloudforms Management Engine
Openstack
Configuration A
9 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Ansible
Up to 2.7.16
Ansible
From 2.8.0 to 2.8.8
Ansible
From 2.9.0 to 2.9.5
Redhat
Ansible Tower
Up to 3.3.4
Ansible Tower
From 3.3.5 to 3.4.5
Ansible Tower
From 3.5.0 to 3.5.5
Ansible Tower
From 3.6.0 to 3.6.3
Cloudforms Management Engine
Version 5.0
Openstack
Version 13

Related CWEs

CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References (6)

Source: secalert@redhat.com
Issue TrackingVendor Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.