rpm package
suse/salt&distro=SUSE Linux Enterprise Server 15 SP1-LTSS
pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-25281 | — | < 3000-24.1 | 3000-24.1 | Feb 27, 2021 | An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. | ||
| CVE-2020-35662 | — | < 3000-24.1 | 3000-24.1 | Feb 27, 2021 | In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated. | ||
| CVE-2020-28972 | — | < 3000-24.1 | 3000-24.1 | Feb 27, 2021 | In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate. | ||
| CVE-2020-28243 | — | < 3000-24.1 | 3000-24.1 | Feb 27, 2021 | An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. | ||
| CVE-2020-25592 | — | < 3002.2-37.1 | 3002.2-37.1 | Nov 6, 2020 | In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. | ||
| CVE-2020-11652 | — | KEV | < 3002.2-37.1 | 3002.2-37.1 | Apr 30, 2020 | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. | |
| CVE-2020-11651 | — | KEV | < 3002.2-37.1 | 3002.2-37.1 | Apr 30, 2020 | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user | |
| CVE-2018-15751 | — | < 3002.2-37.1 | 3002.2-37.1 | Oct 24, 2018 | SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). | ||
| CVE-2018-15750 | — | < 3002.2-37.1 | 3002.2-37.1 | Oct 24, 2018 | Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. |
- CVE-2021-25281Feb 27, 2021affected < 3000-24.1fixed 3000-24.1
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
- CVE-2020-35662Feb 27, 2021affected < 3000-24.1fixed 3000-24.1
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
- CVE-2020-28972Feb 27, 2021affected < 3000-24.1fixed 3000-24.1
In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
- CVE-2020-28243Feb 27, 2021affected < 3000-24.1fixed 3000-24.1
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
- CVE-2020-25592Nov 6, 2020affected < 3002.2-37.1fixed 3002.2-37.1
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
- affected < 3002.2-37.1fixed 3002.2-37.1
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
- affected < 3002.2-37.1fixed 3002.2-37.1
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user
- CVE-2018-15751Oct 24, 2018affected < 3002.2-37.1fixed 3002.2-37.1
SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
- CVE-2018-15750Oct 24, 2018affected < 3002.2-37.1fixed 3002.2-37.1
Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
Page 2 of 2