VYPR

rpm package

suse/salt&distro=SUSE Linux Enterprise Server 15 SP1-LTSS

pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS

Vulnerabilities (29)

  • CVE-2021-25281Feb 27, 2021
    affected < 3000-24.1fixed 3000-24.1

    An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

  • CVE-2020-35662Feb 27, 2021
    affected < 3000-24.1fixed 3000-24.1

    In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.

  • CVE-2020-28972Feb 27, 2021
    affected < 3000-24.1fixed 3000-24.1

    In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.

  • CVE-2020-28243Feb 27, 2021
    affected < 3000-24.1fixed 3000-24.1

    An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.

  • CVE-2020-25592Nov 6, 2020
    affected < 3002.2-37.1fixed 3002.2-37.1

    In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

  • CVE-2020-11652KEVApr 30, 2020
    affected < 3002.2-37.1fixed 3002.2-37.1

    An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

  • CVE-2020-11651KEVApr 30, 2020
    affected < 3002.2-37.1fixed 3002.2-37.1

    An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user

  • CVE-2018-15751Oct 24, 2018
    affected < 3002.2-37.1fixed 3002.2-37.1

    SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

  • CVE-2018-15750Oct 24, 2018
    affected < 3002.2-37.1fixed 3002.2-37.1

    Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

Page 2 of 2