{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2020/cve-2020-1738-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-04-20T13:59:46Z", "generator": { "date": "2026-04-20T13:59:46Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2020-1738-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2020-03-16T16:15:00Z", "revision_history": [ { "date": "2020-03-16T16:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-10T19:43:17Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T13:59:46Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2020-1738" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product_identification_helper": { "purl": "pkg:deb/ubuntu/ansible@2.1.1.0-1~ubuntu16.04.1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els11?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els12?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els2?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els8?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els4?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els5?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-1738", "cwe": { "id": "CWE-88", "name": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" }, "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-1738" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738" }, { "category": "external", "summary": "https://github.com/ansible/ansible/issues/67796", "url": "https://github.com/ansible/ansible/issues/67796" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202006-11", "url": "https://security.gentoo.org/glsa/202006-11" } ], "release_date": "2020-03-16T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "CVE-2020-1738 requires a very specific chain: an operator must run a play that uses the package or service module without the ‘use’ parameter, and an attacker must already be able to influence ansible_facts (e.g., via a prior task executed as that user), making it a local, high‑complexity, user‑initiated attack with no confidentiality impact and only low integrity/availability impact. It primarily affected older Ansible Engine releases (e.g., 2.7/2.8 and 2.9 up to early 2.9.x) and does not apply when the provider is explicitly set. In centrally managed server automation where untrusted users cannot write facts or module paths, the practical exploitability of this issue is minimal, so it can be safely deprioritized.", "product_ids": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L", "version": "3.1" }, "products": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }