CVE-2020-1738

LOW

Ansible Engine - Code Injection

Title source: llm

Description

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

References (3)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738

[Third Party Advisory] https://github.com/ansible/ansible/issues/67796

[Third Party Advisory] https://security.gentoo.org/glsa/202006-11

Scores

CVSS v3 3.9

EPSS 0.0014

EPSS Percentile 33.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Classification

CWE

CWE-88

Status published

Affected Products (5)

redhat/ansible < 2.7.16

redhat/ansible_tower < 3.3.4

redhat/cloudforms_management_engine

redhat/openstack

pypi/ansible PyPI

Timeline

Published Mar 16, 2020

Tracked Since Feb 18, 2026