Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2020-11651

Опубликовано: 30 апр. 2020
Источник: debian

Описание

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
saltfixed3000.2+dfsg1-1package

Примечания

  • https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst

  • Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7 (v3000.2)

  • Regression: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue

  • Regression fix: https://github.com/saltstack/salt/commit/cea28c850f7562fd3b869a1bbcc95050ab19e0f1 (v3000.3)

  • See also https://gitlab.com/saltstack/open/salt-patches/-/tree/master/patches/2020/04/14/

Связанные уязвимости

ubuntu логотип

CVE-2020-11651

CVSS3: 9.8
ubuntu
почти 6 лет назад

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

redhat логотип

CVE-2020-11651

CVSS3: 9.8
redhat
почти 6 лет назад

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

nvd логотип

CVE-2020-11651

CVSS3: 9.8
nvd
почти 6 лет назад

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

github логотип

GHSA-pjhf-vpx3-33r3

CVSS3: 9.8
github
больше 3 лет назад

SaltStack Salt Unauthenticated Remote Code Execution

fstec логотип

BDU:2020-03941

CVSS3: 9.8
fstec
почти 6 лет назад

Уязвимость компонента master.py системы управления конфигурациями и удалённого выполнения операций SaltStack, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании