CVE-2020-1734

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

CVSS v3 7.4 HIGH
CVSS v2.0 3.7 LOW

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

3.7^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 1.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734	Issue Tracking Third Party Advisory
https://github.com/ansible/ansible/issues/67792	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734	Issue Tracking Third Party Advisory
https://github.com/ansible/ansible/issues/67792	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible_engine::::::::
	cpe:2.3:a:redhat:ansible_engine:2.8.8:::::::*
	cpe:2.3:a:redhat:ansible_engine:2.9.5:::::::*
	cpe:2.3:a:redhat:ansible_tower::::::::
	cpe:2.3:a:redhat:ansible_tower:3.4.5:::::::*
	cpe:2.3:a:redhat:ansible_tower:3.5.5:::::::*
	cpe:2.3:a:redhat:ansible_tower:3.6.3:::::::*

History

21 Nov 2024, 05:11

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734 - Issue Tracking, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734 - Issue Tracking, Third Party Advisory
References	~~() https://github.com/ansible/ansible/issues/67792 - Third Party Advisory~~	() https://github.com/ansible/ansible/issues/67792 - Third Party Advisory

Information

Published : 2020-03-03 22:15

Updated : 2024-11-21 05:11

NVD link : CVE-2020-1734

Mitre link : CVE-2020-1734

CVE.ORG link : CVE-2020-1734

JSON object : View

Products Affected

redhat

ansible_engine
ansible_tower

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2020-1734", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.7, "accessVector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 1.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2020-03-03T22:15:10.843", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible/ansible/issues/67792", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ansible/ansible/issues/67792", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en el plugin pipe lookup de ansible. Los comandos arbitrarios se pueden ejecutar, cuando el plugin pipe lookup utiliza la funci\u00f3n subprocess.Popen() con shell=True, al sobrescribir los datos de ansible y la variable no se escapa mediante el plugin citado. Un atacante podr\u00eda tomar ventaja y ejecutar comandos arbitrarios al sobrescribir los datos de ansible."}], "lastModified": "2024-11-21T05:11:16.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E713A0F-6AD3-409E-87AA-DE7EB5B7525C", "versionEndIncluding": "2.7.16"}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.8.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDC2F2BC-209D-4FA4-B1E1-E486DE8AC48B"}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.9.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8599992B-8847-4332-80CC-F98FA4125272"}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3C5721F-050A-42A3-A71D-6C6BA23D58FE", "versionEndIncluding": "3.3.4"}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16776B7F-83E9-4918-94D8-60CA0F96F870"}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.5.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FE9389E-3129-4A14-96CA-5113BD09AD10"}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E695D048-7109-4840-8DE1-59AC1690E667"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}