CVE-2020-1738 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=0 <=2.7.16 || >=2.8.0a1 <=2.8.10 || >=2.9.0a1 <=2.9.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

EPSS: 0.00139 pctl0.34577

Details

Argument Injection in Ansible A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Metadata

Created: 2022-02-09T22:00:04Z
Modified: 2024-09-06T18:18:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f85h-23mf-2fwh/GHSA-f85h-23mf-2fwh.json
CWE IDs: ["CWE-88"]
Alternative ID: GHSA-f85h-23mf-2fwh
Finding: F014
Auto approve: 1