VuXML: salt -- multiple vulnerabilities

Affected packages

3002

py36-salt

3002.1

3002

py37-salt

3002.1

3002

py38-salt

3002.1

Details

VuXML ID	50259d8b-243e-11eb-8bae-b42e99975750
Discovery	2020-11-06
Entry	2020-11-12

VuXML ID

50259d8b-243e-11eb-8bae-b42e99975750

Discovery

2020-11-06

Entry

2020-11-12

SaltStack reports multiple security vulnerabilities in Salt 3002:

CVE-2020-16846: Prevent shell injections in netapi ssh client.

CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.

CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.

[source]

CVE Name	CVE-2020-16846
CVE Name	CVE-2020-17490
CVE Name	CVE-2020-25592
URL	https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
URL	https://nvd.nist.gov/vuln/detail/CVE-2020-16846
URL	https://nvd.nist.gov/vuln/detail/CVE-2020-17490
URL	https://nvd.nist.gov/vuln/detail/CVE-2020-25592

salt -- multiple vulnerabilities

Details

References