Описание
Salt's salt.auth.pki module does not properly authenticate callers
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-38825
- https://github.com/saltstack/salt/commit/5ff18fd0ececdfd083ddce693c3ccef30e44f155
- https://github.com/saltstack/salt/commit/d7cb64e44db5f82fd615373f5dca2eb1fb29bbab
- https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
- https://docs.saltproject.io/en/3007/topics/releases/3007.4.html
Пакеты
salt
>= 3006.0rc1, < 3006.12
3006.12
salt
>= 3007.0rc1, < 3007.4
3007.4
Связанные уязвимости
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
The salt.auth.pki module does not properly authenticate callers. The " ...
Уязвимость компонента salt.auth.pki системы управления конфигурациями и удалённого выполнения операций Salt, позволяющая нарушителю обойти процесс аутентификации
