Description
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
References (3)
Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738
Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/issues/67796
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202006-11
Scores
CVSS v3
3.9
EPSS
0.0038
EPSS Percentile
29.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Details
CWE
CWE-88
Status
published
Products (5)
pypi/ansible
0PyPI
redhat/ansible
< 2.7.16
redhat/ansible_tower
< 3.3.4
redhat/cloudforms_management_engine
5.0
redhat/openstack
13
Published
Mar 16, 2020
Tracked Since
Feb 18, 2026