A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1734 https://nvd.nist.gov/vuln/detail/CVE-2020-1734 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1734 https://security-tracker.debian.org/tracker/CVE-2020-1734 https://www.suse.com/security/cve/CVE-2020-1734/ https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1734.html
Upstream says this is intended behavior and must be prevented by the playbook author. https://github.com/ansible/ansible/issues/67792#issuecomment-607421605