VYPR

rpm package

suse/salt&distro=SUSE Enterprise Storage 5

pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%205

Vulnerabilities (7)

  • CVE-2020-25592Nov 6, 2020
    affected < 2016.11.4-48.13.1fixed 2016.11.4-48.13.1

    In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

  • CVE-2020-17490Nov 6, 2020
    affected < 2016.11.4-48.13.1fixed 2016.11.4-48.13.1

    The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.

  • CVE-2020-16846KEVNov 6, 2020
    affected < 2016.11.4-48.13.1fixed 2016.11.4-48.13.1

    An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

  • CVE-2020-11652KEVApr 30, 2020
    affected < 2016.11.4-48.10.1fixed 2016.11.4-48.10.1

    An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

  • CVE-2020-11651KEVApr 30, 2020
    affected < 2016.11.4-48.10.1fixed 2016.11.4-48.10.1

    An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user

  • CVE-2017-14696HigOct 24, 2017
    affected < 2016.11.4-46.10.1fixed 2016.11.4-46.10.1

    SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

  • CVE-2017-14695CriOct 24, 2017
    affected < 2016.11.4-46.10.1fixed 2016.11.4-46.10.1

    Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability ex