CVE-2020-1738
LOW3.9EPSS 0.21%Argument Injection in Ansible
發布日:2022/2/9修改日:2026/4/28
也稱為:DEBIAN-CVE-2020-1738
描述
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
受影響套件(3)
- Debian/ansiblefrom 0
- PyPI/ansiblefrom 0, <= 2.7.16
- PyPI/ansiblefrom 0, < 2.7.17, >= 2.8.0, < 2.8.9, >= 2.9.0, < 2.9.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L |
| osv | CVSS 3.1 | LOW3.9 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-f85h-23mf-2fwh
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1738
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-1738
- PATCHhttps://github.com/ansible/ansible
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738
- WEBhttps://github.com/ansible/ansible/issues/67796
- WEBhttps://github.com/ansible/ansible/pull/67808
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-10.yaml
- WEBhttps://security.gentoo.org/glsa/202006-11