CVE-2020-1738
Argument Injection in Ansible
3.9
LOW
CVSS 3.1
EPSS 0.21%
Description
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
How to fix CVE-2020-1738
To remediate CVE-2020-1738, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 2.7.17 or later
Is CVE-2020-1738 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, <= 2.7.16
- from 0, < 2.7.17, >= 2.8.0, < 2.8.9, >= 2.9.0, < 2.9.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L |
| osv | CVSS 3.1 | LOW3.9 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L |