VuXML ID | Description |
0652005e-ca96-11e5-96d6-14dae9d210b8 | salt -- code execution
SaltStack reports:
Improper handling of clear messages on the minion, which
could result in executing commands not sent by the master.
Discovery 2016-01-25 Entry 2016-02-03 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
ge 2015.8.0 lt 2015.8.4
https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html
https://github.com/saltstack/salt/pull/30613/files
CVE-2016-1866
|
3531141d-a708-477c-954a-2a0549e49ca9 | salt -- Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
SaltStack reports:
Correct a flaw in minion id validation which could allow certain
minions to authenticate to a master despite not having the correct
credentials. To exploit the vulnerability, an attacker must create a
salt-minion with an ID containing characters that will cause a
directory traversal.
Credit for discovering the security flaw goes to: Vernhk@qq.com
Discovery 2017-08-16 Entry 2017-08-22 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
< 2016.11.7
ge 2017.7.0 lt 2017.7.1
CVE-2017-12791
https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html
https://docs.saltstack.com/en/latest/topics/releases/2016.11.7.html
|
3934cc60-f0fa-4eca-be09-c8bd7ae42871 | Salt -- multiple vulnerabilities
Salt release notes:
CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log
Updated the Git state and execution modules to no longer display HTTPS basic
authentication credentials in loglevel debug output on the Salt master. These
credentials are now replaced with REDACTED in the debug output. Thanks to
Andreas Stieger for bringing this to our attention.
CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug
log
Updated the win_useradd module return data to no longer include the password
of the newly created user. The password is now replaced with the string
XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display
win_password and sudo_password authentication credentials. Also updated the
Linode driver to no longer display authentication credentials in debug logs.
These credentials are now replaced with REDACTED in the debug output.
Discovery 2015-10-16 Entry 2015-10-17 py27-salt
< 2015.8.1
https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html
CVE-2015-6918
CVE-2015-6941
|
4f7c6af3-6a2c-4ead-8453-04e509688d45 | salt -- multiple vulnerabilities
SaltStack reports:
Remote command execution and incorrect access control when using
salt-api.
Directory traversal vulnerability when using salt-api. Allows an
attacker to determine what files exist on a server when querying
/run or /events.
Discovery 2018-10-24 Entry 2018-10-27 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
py37-salt
< 2017.7.8
ge 2018.3.0 lt 2018.3.3
CVE-2018-15751
CVE-2018-15750
https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html
https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html
|
50127e44-7b88-4ade-8e12-5d57320823f1 | salt -- multiple vulnerabilities
SaltStack reports:
Directory traversal vulnerability in minion id validation in SaltStack.
Allows remote minions with incorrect credentials to authenticate to a
master via a crafted minion ID. Credit for discovering the security flaw
goes to: Julian Brost (julian@0x4a42.net). NOTE: this vulnerability exists
because of an incomplete fix for CVE-2017-12791.
Remote Denial of Service with a specially crafted authentication request.
Credit for discovering the security flaw goes to: Julian Brost
(julian@0x4a42.net)
Discovery 2017-10-09 Entry 2017-11-23 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
< 2016.11.8
ge 2017.7.0 lt 2017.7.2
CVE-2017-14695
CVE-2017-14696
https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.8.html
https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d
https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b
|
6bf55af9-973b-11ea-9f2c-38d547003487 | salt -- multiple vulnerabilities in salt-master process
F-Secure reports:
CVE-2020-11651 - Authentication bypass vulnerabilities
The ClearFuncs class processes unauthenticated requests and
unintentionally exposes the _send_pub() method, which can be used to
queue messages directly on the master publish server. Such messages
can be used to trigger minions to run arbitrary commands as root.
The ClearFuncs class also exposes the method _prep_auth_info(),
which returns the "root key" used to authenticate commands from the
local root user on the master server. This "root key" can then be
used to remotely call administrative commands on the master server.
This unintentional exposure provides a remote un-authenticated
attacker with root-equivalent access to the salt master.
CVE-2020-11652 - Directory traversal vulnerabilities
The wheel module contains commands used to read and write files
under specific directory paths. The inputs to these functions are
concatenated with the target directory and the resulting path is not
canonicalized, leading to an escape of the intended path restriction.
The get_token() method of the salt.tokens.localfs class (which is
exposed to unauthenticated requests by the ClearFuncs class) fails
to sanitize the token input parameter which is then used as a
filename, allowing insertion of ".." path elements and thus reading
of files outside of the intended directory. The only restriction is
that the file has to be deserializable by salt.payload.Serial.loads().
Discovery 2020-04-30 Entry 2020-05-16 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
py37-salt
py38-salt
< 2019.2.4
ge 3000 lt 3000.2
CVE-2020-11651
CVE-2020-11652
https://nvd.nist.gov/vuln/detail/CVE-2020-11651
https://nvd.nist.gov/vuln/detail/CVE-2020-11652
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/
https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild
|
6d25c306-f3bb-11e5-92ce-002590263bf5 | salt -- Insecure configuration of PAM external authentication service
SaltStack reports:
This issue affects all Salt versions prior to 2015.8.8/2015.5.10
when PAM external authentication is enabled. This issue involves
passing an alternative PAM authentication service with a command
that is sent to LocalClient, enabling the attacker to bypass the
configured authentication service.
Discovery 2016-03-17 Entry 2016-03-27 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
< 2015.5.10
ge 2015.8.0 lt 2015.8.8
CVE-2016-3176
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html
|
865863af-fb5e-11e4-8fda-002590263bf5 | py-salt -- potential shell injection vulnerabilities
Colton Myers reports:
In order to fix potential shell injection vulnerabilities in salt
modules, a change has been made to the various cmd module functions.
These functions now default to python_shell=False, which means that
the commands will not be sent to an actual shell.
The largest side effect of this change is that "shellisms", such as
pipes, will not work by default. The modules shipped with salt have
been audited to fix any issues that might have arisen from this
change. Additionally, the cmd state module has been unaffected, and
use of cmd.run in jinja is also unaffected. cmd.run calls on the
CLI will also allow shellisms.
However, custom execution modules which use shellisms in cmd calls
will break, unless you pass python_shell=True to these calls.
As a temporary workaround, you can set cmd_safe: False in your
minion and master configs. This will revert the default, but is
also less secure, as it will allow shell injection vulnerabilities
to be written in custom code. We recommend you only set this
setting for as long as it takes to resolve these issues in your
custom code, then remove the override.
Discovery 2015-05-11 Entry 2015-05-24 py27-salt
< 2015.5.0
http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html
|
8c98e643-6008-11ea-af63-38d547003487 | salt -- salt-api vulnerability
SaltStack reports:
With the Salt NetAPI enabled in addition to having a SSH roster
defined, unauthenticated access is possible when specifying the
client as SSH.
Additionally, when the raw_shell option is specified any arbitrary
command may be run on the Salt master when specifying SSH options.
Discovery 2020-01-15 Entry 2020-03-07 py27-salt
py32-salt
py33-salt
py34-salt
py35-salt
py36-salt
py37-salt
py38-salt
< 2019.2.3
CVE-2019-17361
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
https://nvd.nist.gov/vuln/detail/CVE-2019-17361
|
e6b974ab-9d35-11e5-8f5c-002590263bf5 | Salt -- information disclosure
Salt release notes report:
CVE-2015-8034: Saving state.sls cache data to disk with insecure
permissions
This affects users of the state.sls function. The state run cache
on the minion was being created with incorrect permissions. This
file could potentially contain sensitive data that was inserted via
jinja into the state SLS files. The permissions for this file are
now being set correctly. Thanks to @zmalone for bringing this issue
to our attention.
Discovery 2015-11-25 Entry 2015-12-07 py27-salt
< 2015.8.3
CVE-2015-8034
https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html
|