CVE-2020-1738
Publication date 16 March 2020
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Status
Package | Ubuntu Release | Status |
---|---|---|
ansible | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Ignored end of ESM support, was needs-triage |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 3.9 · Low |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | None |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L |