Fluid Attacks Database

Description

OS Command Injection in ansible A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ansible	=10.0.0+dfsg-1 \|\| =10.0.1+dfsg-1 \|\| =10.1.0+dfsg-1 \|\| =10.5.0+dfsg-1 \|\| =10.5.0+dfsg-2 \|\| =10.6.0+dfsg-1 \|\| =11.1.0+dfsg-1 \|\| =11.2.0+dfsg-1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a1+dfsg-1 \|\| =12.0.0~a2+dfsg-1 \|\| =12.0.0~a4+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u3 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u4 \|\| =2.10.7+merged+base+2.10.8+dfsg-1 \|\| =4.6.0-1 \|\| =5.4.0-1 \|\| =5.5.0-1 \|\| =6.3.0+dfsg-1 \|\| =6.4.0+dfsg-1 \|\| =7.0.0+dfsg-1 \|\| =7.0.0+dfsg-2 \|\| =7.1.0+dfsg-1 \|\| =7.2.0+dfsg-2 \|\| =7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| =9.4.0+dfsg-1 \|\| =9.5.1+dfsg-1	-
pypi	ansible	>=2.10.0a1 <2.10.0rc1 \|\| >=2.9.0a1 <2.9.11 \|\| >=0 <2.8.13	2.10.0rc1, 2.9.11, 2.8.13
debian 14	ansible	=12.0.0+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1	-
debian 12	ansible	=10.0.0+dfsg-1 \|\| =10.0.1+dfsg-1 \|\| =10.1.0+dfsg-1 \|\| =10.5.0+dfsg-1 \|\| =10.5.0+dfsg-2 \|\| =10.6.0+dfsg-1 \|\| =11.1.0+dfsg-1 \|\| =11.2.0+dfsg-1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a1+dfsg-1 \|\| =12.0.0~a2+dfsg-1 \|\| =12.0.0~a4+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1 \|\| =7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| =7.7.0+dfsg-3+deb12u1 \|\| =9.4.0+dfsg-1 \|\| =9.5.1+dfsg-1	-
debian 13	ansible	=12.0.0+dfsg-0+deb13u1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-0+deb13u1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1	-

Aliases

1. CVE-2020-17342. NVD-2020-17343. OSV-DEBIAN-2020-17344. OSV-2020-17345. GHSA-h39q-95q5-9jfp6. GCVE-2020-17347. SECURITY-TRACKER-CVE-2020-17348. access.redhat.com9. access.redhat.com10. ACCESS-CVE-2020-1734

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.