CVE-2020-1738
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/03/2020
Last modified:
07/11/2023
Description
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Impact
Base Score 3.x
3.90
Severity 3.x
LOW
Base Score 2.0
2.60
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* | 2.7.16 (including) | |
| cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* | 2.8.0 (including) | 2.8.8 (including) |
| cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* | 2.9.0 (including) | 2.9.5 (including) |
| cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* | 3.3.4 (including) | |
| cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* | 3.3.5 (including) | 3.4.5 (including) |
| cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* | 3.5.0 (including) | 3.5.5 (including) |
| cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* | 3.6.0 (including) | 3.6.3 (including) |
| cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page