3.9
CVE-2020-1738
- EPSS 0.14%
- Published 16.03.2020 16:15:14
- Last modified 21.11.2024 05:11:16
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Data is provided by the National Vulnerability Database (NVD)
Redhat ≫ Ansible Tower Version <= 3.3.4
Redhat ≫ Ansible Tower Version >= 3.3.5 <= 3.4.5
Redhat ≫ Ansible Tower Version >= 3.5.0 <= 3.5.5
Redhat ≫ Ansible Tower Version >= 3.6.0 <= 3.6.3
Redhat ≫ Cloudforms Management Engine Version5.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.346 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 3.9 | 0.8 | 2.7 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
|
| nvd@nist.gov | 2.6 | 1.9 | 4.9 |
AV:L/AC:H/Au:N/C:N/I:P/A:P
|
| secalert@redhat.com | 3.9 | 0.8 | 2.7 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.