CVE-2020-1738

low-risk

Published 2020-03-16

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.9/10 Low

LOCAL / HIGH complexity

Affected Products (4)

Ansible

Ansible Tower

Cloudforms Management Engine

Openstack

Affected Vendors

Redhat

References (6)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738

Third Party Advisory https://github.com/ansible/ansible/issues/67796

https://security.gentoo.org/glsa/202006-11

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738

Third Party Advisory https://github.com/ansible/ansible/issues/67796

https://security.gentoo.org/glsa/202006-11

/ 100

low-risk

Severity 10/34 · Low

Exploitability 1/34 · Minimal

Exposure 10/34 · Low