CVE-2020-1738

Summary

CVE	CVE-2020-1738
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-03-16 16:15:00 UTC
Updated	2023-11-07 03:19:00 UTC
Description	A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Risk And Classification

Problem Types: CWE-88

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Cloudforms Management Engine	5.0	All	All	All
Application	Redhat	Cloudforms Management Engine	5.0	All	All	All
Application	Redhat	Openstack	13	All	All	All
Application	Redhat	Openstack	13.0	All	All	All
Application	Redhat	Openstack	13.0	All	All	All

References

Reference	Source	Link	Tags
Ansible: Multiple vulnerabilities (GLSA 202006-11) — Gentoo security	GENTOO	security.gentoo.org
1802164 – (CVE-2020-1738) CVE-2020-1738 ansible: module package can be selected by the ansible facts	CONFIRM	bugzilla.redhat.com	Issue Tracking, Vendor Advisory
package and service modules allow arbitrary modules to be executed · Issue #67796 · ansible/ansible · GitHub	CONFIRM	github.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.