pysec-2020-10
Vulnerability from pysec
Published
2020-03-16 16:15
Modified
2020-06-13 04:15
Details
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible",
"purl": "pkg:pypi/ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.17"
},
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.9"
},
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0",
"1.1",
"1.2",
"1.2.1",
"1.2.2",
"1.2.3",
"1.3.0",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3.4",
"1.4",
"1.4.1",
"1.4.2",
"1.4.3",
"1.4.4",
"1.4.5",
"1.5",
"1.5.1",
"1.5.2",
"1.5.3",
"1.5.4",
"1.5.5",
"1.6",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.4",
"1.6.5",
"1.6.6",
"1.6.7",
"1.6.8",
"1.6.9",
"1.6.10",
"1.7",
"1.7.1",
"1.7.2",
"1.8",
"1.8.1",
"1.8.2",
"1.8.3",
"1.8.4",
"1.9.0",
"1.9.0.1",
"1.9.1",
"1.9.2",
"1.9.3",
"1.9.4",
"1.9.5",
"1.9.6",
"2.0.0.0",
"2.0.0",
"2.0.0.1",
"2.0.0.2",
"2.0.1.0",
"2.0.2.0",
"2.1.0.0",
"2.1.1.0",
"2.1.2.0",
"2.1.3.0",
"2.1.4.0",
"2.1.5.0",
"2.1.6.0",
"2.2.0.0",
"2.2.1.0",
"2.2.2.0",
"2.2.3.0",
"2.3.0.0",
"2.3.1.0",
"2.3.2.0",
"2.3.3.0",
"2.4.0.0",
"2.4.1.0",
"2.4.2.0",
"2.4.3.0",
"2.4.4.0",
"2.4.5.0",
"2.4.6.0",
"2.5.0a1",
"2.5.0b1",
"2.5.0b2",
"2.5.0rc1",
"2.5.0rc2",
"2.5.0rc3",
"2.5.0",
"2.5.1",
"2.5.2",
"2.5.3",
"2.5.4",
"2.5.5",
"2.5.6",
"2.5.7",
"2.5.8",
"2.5.9",
"2.5.10",
"2.5.11",
"2.5.12",
"2.5.13",
"2.5.14",
"2.5.15",
"2.6.0a1",
"2.6.0a2",
"2.6.0rc1",
"2.6.0rc2",
"2.6.0rc3",
"2.6.0rc4",
"2.6.0rc5",
"2.6.0",
"2.6.1",
"2.6.2",
"2.6.3",
"2.6.4",
"2.6.5",
"2.6.6",
"2.6.7",
"2.6.8",
"2.6.9",
"2.6.10",
"2.6.11",
"2.6.12",
"2.6.13",
"2.6.14",
"2.6.15",
"2.6.16",
"2.6.17",
"2.6.18",
"2.6.19",
"2.6.20",
"2.7.0.dev0",
"2.7.0a1",
"2.7.0b1",
"2.7.0rc1",
"2.7.0rc2",
"2.7.0rc3",
"2.7.0rc4",
"2.7.0",
"2.7.1",
"2.7.2",
"2.7.3",
"2.7.4",
"2.7.5",
"2.7.6",
"2.7.7",
"2.7.8",
"2.7.9",
"2.7.10",
"2.7.11",
"2.7.12",
"2.7.13",
"2.7.14",
"2.7.15",
"2.7.16",
"2.8.0",
"2.8.1",
"2.8.2",
"2.8.3",
"2.8.4",
"2.8.5",
"2.8.6",
"2.8.7",
"2.8.8",
"2.9.0",
"2.9.1",
"2.9.2",
"2.9.3",
"2.9.4",
"2.9.5"
]
}
],
"aliases": [
"CVE-2020-1738",
"GHSA-f85h-23mf-2fwh"
],
"details": "A flaw was found in Ansible Engine when the module package or service is used and the parameter \u0027use\u0027 is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.",
"id": "PYSEC-2020-10",
"modified": "2020-06-13T04:15:00Z",
"published": "2020-03-16T16:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738"
},
{
"type": "REPORT",
"url": "https://github.com/ansible/ansible/issues/67796"
},
{
"type": "ADVISORY",
"url": "https://security.gentoo.org/glsa/202006-11"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-f85h-23mf-2fwh"
}
]
}
Loading...