Fluid Attacks Database

Description

Argument Injection in Ansible A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	ansible	=12.0.0+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1	-
pypi	ansible	>=0 <=2.7.16 \|\| >=2.8.0a1 <=2.8.10 \|\| >=2.9.0a1 <=2.9.6	2.7.17, 2.8.11, 2.9.7
debian 11	ansible	=10.0.0+dfsg-1 \|\| =10.0.1+dfsg-1 \|\| =10.1.0+dfsg-1 \|\| =10.5.0+dfsg-1 \|\| =10.5.0+dfsg-2 \|\| =10.6.0+dfsg-1 \|\| =11.1.0+dfsg-1 \|\| =11.2.0+dfsg-1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a1+dfsg-1 \|\| =12.0.0~a2+dfsg-1 \|\| =12.0.0~a4+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u3 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u4 \|\| =2.10.7+merged+base+2.10.8+dfsg-1 \|\| =4.6.0-1 \|\| =5.4.0-1 \|\| =5.5.0-1 \|\| =6.3.0+dfsg-1 \|\| =6.4.0+dfsg-1 \|\| =7.0.0+dfsg-1 \|\| =7.0.0+dfsg-2 \|\| =7.1.0+dfsg-1 \|\| =7.2.0+dfsg-2 \|\| =7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| =9.4.0+dfsg-1 \|\| =9.5.1+dfsg-1	-
debian 12	ansible	=10.0.0+dfsg-1 \|\| =10.0.1+dfsg-1 \|\| =10.1.0+dfsg-1 \|\| =10.5.0+dfsg-1 \|\| =10.5.0+dfsg-2 \|\| =10.6.0+dfsg-1 \|\| =11.1.0+dfsg-1 \|\| =11.2.0+dfsg-1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a1+dfsg-1 \|\| =12.0.0~a2+dfsg-1 \|\| =12.0.0~a4+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1 \|\| =7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| =7.7.0+dfsg-3+deb12u1 \|\| =9.4.0+dfsg-1 \|\| =9.5.1+dfsg-1	-
debian 13	ansible	=12.0.0+dfsg-0+deb13u1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-0+deb13u1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1	-

Aliases

1. CVE-2020-17382. NVD-2020-17383. OSV-DEBIAN-2020-17384. OSV-2020-17385. GHSA-f85h-23mf-2fwh6. GCVE-2020-17387. SECURITY-TRACKER-CVE-2020-17388. security.gentoo.org

References

1. https://github.com/ansible/ansible/issues/677962. https://github.com/ansible/ansible/pull/678083. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-17384. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-10.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.