High severityNVD Advisory· Published Mar 3, 2020· Updated Aug 4, 2024
CVE-2020-1734
CVE-2020-1734
Description
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.10.0a1, < 2.10.0rc1 | 2.10.0rc1 |
ansiblePyPI | >= 2.9.0a1, < 2.9.11 | 2.9.11 |
ansiblePyPI | < 2.8.13 | 2.8.13 |
Affected products
1Patches
44f978af4ca16[2.9] pipe: update docs for Popen with shell=True usage (#70603)
2 files changed · +16 −7
changelogs/fragments/70261_pipe_lookup.yml+2 −0 added@@ -0,0 +1,2 @@ +minor_changes: +- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159).
lib/ansible/plugins/lookup/pipe.py+14 −7 modified@@ -4,32 +4,39 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = """ +DOCUMENTATION = r""" lookup: pipe author: Daniel Hokka Zakrisson <daniel@hozac.com> version_added: "0.9" short_description: read output from a command description: - - Run a command and return the output + - Run a command and return the output. options: _terms: - description: command(s) to run + description: command(s) to run. required: True notes: - Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become, so if you need to different permissions you must change the command or run Ansible as another user. - Alternatively you can use a shell/command task that runs against localhost and registers the result. + - Pipe lookup internally invokes Popen with shell=True (this is required and intentional). + This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input. + It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup. + See example section for this. + Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html) """ -EXAMPLES = """ +EXAMPLES = r""" - name: raw result of running date command" - debug: msg="{{ lookup('pipe','date') }}" + debug: + msg: "{{ lookup('pipe', 'date') }}" - name: Always use quote filter to make sure your variables are safe to use with shell - debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}" + debug: + msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}" """ -RETURN = """ +RETURN = r""" _string: description: - stdout from command
963bdd9983b9[2.10] pipe: update docs for Popen with shell=True usage (#70602)
2 files changed · +16 −7
changelogs/fragments/70261_pipe_lookup.yml+2 −0 added@@ -0,0 +1,2 @@ +minor_changes: +- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159).
lib/ansible/plugins/lookup/pipe.py+14 −7 modified@@ -4,32 +4,39 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = """ +DOCUMENTATION = r""" lookup: pipe author: Daniel Hokka Zakrisson <daniel@hozac.com> version_added: "0.9" short_description: read output from a command description: - - Run a command and return the output + - Run a command and return the output. options: _terms: - description: command(s) to run + description: command(s) to run. required: True notes: - Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become, so if you need to different permissions you must change the command or run Ansible as another user. - Alternatively you can use a shell/command task that runs against localhost and registers the result. + - Pipe lookup internally invokes Popen with shell=True (this is required and intentional). + This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input. + It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup. + See example section for this. + Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html) """ -EXAMPLES = """ +EXAMPLES = r""" - name: raw result of running date command" - debug: msg="{{ lookup('pipe','date') }}" + debug: + msg: "{{ lookup('pipe', 'date') }}" - name: Always use quote filter to make sure your variables are safe to use with shell - debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}" + debug: + msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}" """ -RETURN = """ +RETURN = r""" _string: description: - stdout from command
bff0724e9eab[2.8] pipe: update docs for Popen with shell=True usage (#70604)
2 files changed · +16 −7
changelogs/fragments/70261_pipe_lookup.yml+2 −0 added@@ -0,0 +1,2 @@ +minor_changes: +- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159).
lib/ansible/plugins/lookup/pipe.py+14 −7 modified@@ -4,32 +4,39 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = """ +DOCUMENTATION = r""" lookup: pipe author: Daniel Hokka Zakrisson <daniel@hozac.com> version_added: "0.9" short_description: read output from a command description: - - Run a command and return the output + - Run a command and return the output. options: _terms: - description: command(s) to run + description: command(s) to run. required: True notes: - Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become, so if you need to different permissions you must change the command or run Ansible as another user. - Alternatively you can use a shell/command task that runs against localhost and registers the result. + - Pipe lookup internally invokes Popen with shell=True (this is required and intentional). + This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input. + It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup. + See example section for this. + Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html) """ -EXAMPLES = """ +EXAMPLES = r""" - name: raw result of running date command" - debug: msg="{{ lookup('pipe','date') }}" + debug: + msg: "{{ lookup('pipe', 'date') }}" - name: Always use quote filter to make sure your variables are safe to use with shell - debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}" + debug: + msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}" """ -RETURN = """ +RETURN = r""" _string: description: - stdout from command
e5649ca3e807pipe: update docs for Popen with shell=True usage (#70596)
2 files changed · +16 −7
changelogs/fragments/70261_pipe_lookup.yml+2 −0 added@@ -0,0 +1,2 @@ +minor_changes: +- pipe lookup - update docs for Popen with shell=True usages (https://github.com/ansible/ansible/issues/70159).
lib/ansible/plugins/lookup/pipe.py+14 −7 modified@@ -4,32 +4,39 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -DOCUMENTATION = """ +DOCUMENTATION = r""" lookup: pipe author: Daniel Hokka Zakrisson <daniel@hozac.com> version_added: "0.9" short_description: read output from a command description: - - Run a command and return the output + - Run a command and return the output. options: _terms: - description: command(s) to run + description: command(s) to run. required: True notes: - Like all lookups this runs on the Ansible controller and is unaffected by other keywords, such as become, so if you need to different permissions you must change the command or run Ansible as another user. - Alternatively you can use a shell/command task that runs against localhost and registers the result. + - Pipe lookup internally invokes Popen with shell=True (this is required and intentional). + This type of invocation is considered as security issue if appropriate care is not taken to sanitize any user provided or variable input. + It is strongly recommended to pass user input or variable input via quote filter before using with pipe lookup. + See example section for this. + Read more about this L(Bandit B602 docs,https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html) """ -EXAMPLES = """ +EXAMPLES = r""" - name: raw result of running date command" - debug: msg="{{ lookup('pipe','date') }}" + debug: + msg: "{{ lookup('pipe', 'date') }}" - name: Always use quote filter to make sure your variables are safe to use with shell - debug: msg="{{ lookup('pipe','getent ' + myuser|quote ) }}" + debug: + msg: "{{ lookup('pipe', 'getent ' + myuser | quote ) }}" """ -RETURN = """ +RETURN = r""" _string: description: - stdout from command
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-h39q-95q5-9jfpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1734ghsaADVISORY
- access.redhat.com/errata/RHBA-2020:0547ghsaWEB
- access.redhat.com/errata/RHBA-2020:1539ghsaWEB
- access.redhat.com/security/cve/CVE-2020-1734ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/commit/4f978af4ca16ad9828ffe42203b9615425195f8bghsaWEB
- github.com/ansible/ansible/commit/963bdd9983b91a48fb6949fb2ef41071e72d0be0ghsaWEB
- github.com/ansible/ansible/commit/bff0724e9eab2770f874e018298f9ab74cc2a78fghsaWEB
- github.com/ansible/ansible/commit/e5649ca3e807f17e7c034ee22791f107162973b0ghsaWEB
- github.com/ansible/ansible/issues/67792ghsax_refsource_MISCWEB
- github.com/ansible/ansible/issues/70159ghsaWEB
- github.com/ansible/ansible/pull/70596ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-6.yamlghsaWEB
News mentions
0No linked articles in our index yet.