{"id":"CVE-2020-1735","details":"A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.","aliases":["GHSA-gfr2-qpxh-qj9m","PYSEC-2020-7"],"modified":"2026-04-16T00:05:29.924504251Z","published":"2020-03-16T16:15:13.890Z","related":["SUSE-SU-2020:3309-1","openSUSE-SU-2022:0081-1","openSUSE-SU-2024:10615-1","openSUSE-SU-2024:14244-1","openSUSE-SU-2024:14536-1","openSUSE-SU-2025:15605-1","openSUSE-SU-2025:15753-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"3.3.4"},{"introduced":"3.3.5"},{"last_affected":"3.4.5"},{"introduced":"3.5.0"},{"last_affected":"3.5.5"},{"introduced":"3.6.0"},{"last_affected":"3.6.3"}],"cpe":"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"5.0"}],"cpe":"cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"13"}],"cpe":"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"30"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"31"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"32"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202006-11"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4950"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735"},{"type":"FIX","url":"https://github.com/ansible/ansible/issues/67793"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ansible/ansible","events":[{"introduced":"0"},{"fixed":"f78a5b184c6f8b1bc774ed795a2bd36d38f6506b"},{"introduced":"2611867fd1dc387ceaa0ffb8ce0f030aafc2a859"},{"fixed":"b9ebc0ceefd2bad292b75f5e2e5f7340fd23e896"},{"introduced":"24325a05dfb9104d6d4ec8b488b89e07c2e6d376"},{"fixed":"ff7bbbcaf1e8f434432075bc9c55626a9dd3091d"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.7.17"},{"introduced":"2.8.0"},{"fixed":"2.8.11"},{"introduced":"2.9.0"},{"fixed":"2.9.7"}],"cpe":"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*"}}],"versions":["0.0.1","0.01","0.3","0.7","v1.0","v1.1","v1.2","v1.4.0","v1.6.0","v2.0.0-0.1.alpha1","v2.0.0-0.2.alpha2","v2.0.0-0.3.beta1","v2.0.0-0.4.beta2","v2.0.0-0.5.beta3","v2.6.0a1","v2.7.0","v2.7.0.a1","v2.7.0b1","v2.7.0rc1","v2.7.0rc2","v2.7.0rc3","v2.7.0rc4","v2.7.1","v2.7.10","v2.7.11","v2.7.12","v2.7.13","v2.7.14","v2.7.15","v2.7.16","v2.7.2","v2.7.3","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v2.8.0","v2.8.1","v2.8.10","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v2.8.9","v2.9.0","v2.9.1","v2.9.2","v2.9.3","v2.9.4","v2.9.5","v2.9.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1735.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}]}