GHSA-f85h-23mf-2fwh
Vulnerability from github
Published
2022-02-09 22:00
Modified
2024-09-06 18:18
Severity
3.9 (Low) - CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
1.0 (Low) - CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
Summary
Argument Injection in Ansible
Details

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.7.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "last_affected": "2.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "last_affected": "2.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T18:34:03Z",
    "nvd_published_at": "2020-03-16T16:15:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in Ansible Engine when the module package or service is used and the parameter \u0027use\u0027 is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.",
  "id": "GHSA-f85h-23mf-2fwh",
  "modified": "2024-09-06T18:18:14Z",
  "published": "2022-02-09T22:00:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/issues/67796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/67808"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-f85h-23mf-2fwh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-10.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Argument Injection in Ansible"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.