CVE-2020-1734: 
Ansible Tower vulnerability analysis and mitigation

A flaw was discovered in the pipe lookup plugin of Ansible (CVE-2020-1734), reported in November 2019. The vulnerability exists when the pipe lookup plugin uses subprocess.Popen() with shell=True, allowing arbitrary commands to be executed by overwriting Ansible facts when variables are not properly escaped by the quote plugin (NVD, CVE).

The vulnerability stems from the pipe lookup plugin's default configuration where subprocess.Popen() is executed with shell=True. When variables are passed to the pipe lookup and are not properly escaped using the quote plugin, they can be overwritten via Ansible facts, leading to potential arbitrary code execution. The vulnerability has a CVSS v3.1 base score of 7.4 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L (NVD).

An attacker could potentially execute arbitrary commands by overwriting Ansible facts, leading to unauthorized command execution in the context of the Ansible execution environment. This could result in system compromise through privilege escalation (Bugzilla).

The issue can be mitigated by ensuring all variables used in the pipe lookup are properly escaped. The suggested fix involves using shell=False by default and adding an argument to explicitly enable shell=True when needed (Bugzilla).

Upstream Ansible developers acknowledged this as intended functionality and delegated the responsibility to playbook authors to ensure proper use of the quote filter. The issue was previously reported in GitHub issue #6550 but was not fixed due to concerns about breaking existing functionality (GitHub).