CVE-2020-1738: 
Ansible Tower vulnerability analysis and mitigation

A flaw was discovered in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are affected (NVD, Red Hat Bugzilla).

The vulnerability occurs when the package or service modules use facts to determine the module name to run if the 'use' parameter is not specified. The ansible_facts['pkg_mgr'] and ansible_facts['service_mgr'] facts could be set to another module name or a module name installed in a collection, potentially allowing arbitrary code execution on the managed node. The vulnerability has a CVSS v3.1 Base Score of 3.9 (LOW) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L (NVD).

If exploited, this vulnerability could allow an attacker to execute arbitrary code on the managed node through manipulation of ansible facts. The impact is considered low due to the required conditions and limited scope of the vulnerability (Red Hat Bugzilla).

The recommended mitigation is to specify the parameter 'use' when possible on the package and service modules. Users should avoid using Ansible Collections on Ansible 2.8.9 or 2.7.16 (and any previous versions) as they do not reject python with no path. This issue has been fixed in Ansible Engine version 2.9.7 (Red Hat Bugzilla, Gentoo Security).