CVE-2020-1734

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-1734
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1734.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-1734
Aliases
Downstream
Related
Published
2020-03-03T22:15:10.843Z
Modified
2026-03-14T10:19:25.657588Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
[none]
Details

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type
GIT
Repo
https://github.com/ansible/ansible
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8fd406ee8e3a14be72b3cbbfe91d03fe35952f95
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d28e4b63c7b70acbaf0a1fedd53c91b6686574a0
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9388be4269bdf83406bfa9245142de8b7dc8cfbc
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.16"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.8.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.9.5"
        }
    ]
}

Affected versions

0.*
0.0.1
0.0.2
0.01
0.3
0.7
stable-2.*
stable-2.9-branchpoint
v1.*
v1.0
v1.1
v1.2
v1.4.0
v1.5.0
v1.5.1
v1.6.0
Other
v1_last
v2.*
v2.0.0-0.1.alpha1
v2.0.0-0.2.alpha2
v2.0.0-0.3.beta1
v2.0.0-0.4.beta2
v2.0.0-0.5.beta3
v2.6.0a1
v2.7.0
v2.7.0.a1
v2.7.0b1
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.0rc4
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.0a1
v2.8.0b1
v2.8.0rc1
v2.8.0rc2
v2.8.0rc3
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.9.0
v2.9.0b1
v2.9.0rc1
v2.9.0rc2
v2.9.0rc3
v2.9.0rc4
v2.9.0rc5
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.3.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.4.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.5.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.6.3"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1734.json"