A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
https://security.gentoo.org/glsa/202006-11
Published: 2020-03-16
Updated: 2024-11-21
Base Score: 2.6
Vector: CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:P
Severity: Low
Base Score: 3.9
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Severity: Low
Base Score: 1
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
Severity: Low