Vulnerability Details : CVE-2020-1734
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
Products affected by CVE-2020-1734
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:2.9.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-1734
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-1734
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.7
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:P |
1.9
|
6.4
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L |
0.8
|
6.0
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L |
0.8
|
6.0
|
Red Hat, Inc. |
CWE ids for CVE-2020-1734
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2020-1734
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734
1801804 – (CVE-2020-1734) CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocessIssue Tracking;Third Party Advisory
-
https://github.com/ansible/ansible/issues/67792
pipe lookup plugin enables shell by default · Issue #67792 · ansible/ansible · GitHubThird Party Advisory
Jump to