CVE-2020-1738 vulnerability in Red Hat Products

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Vulnerability Analysis

CVE-2020-1738 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2020-1738 has been classified to as an Argument Injection vulnerability or weakness.

Products Associated with CVE-2020-1738

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Ansible

Red Hat Ansible Tower

Red Hat Cloudforms Management Engine

Red Hat Openstack

Affected Versions

Exploit Probability

EPSS

0.14%

Percentile

33.77%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.