GHSA-pjhf-vpx3-33r3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pjhf-vpx3-33r3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pjhf-vpx3-33r3/GHSA-pjhf-vpx3-33r3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-pjhf-vpx3-33r3
- Aliases
- Published
- 2022-05-24T17:16:59Z
- Modified
- 2024-10-26T23:01:39.133179Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- SaltStack Salt Unauthenticated Remote Code Execution
- Details
-
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
- Database specific
{ "cwe_ids": [ "CWE-20", "CWE-306" ], "github_reviewed_at": "2024-04-22T22:24:37Z", "severity": "CRITICAL", "nvd_published_at": "2020-04-30T17:15:00Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-11651
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-102.yaml
- https://github.com/saltstack/salt
- https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
- https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://usn.ubuntu.com/4459-1
- https://www.debian.org/security/2020/dsa-4676
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html
- http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html
- http://www.vmware.com/security/advisories/VMSA-2020-0009.html
Affected packages
PyPI / salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2019.2.4
Affected versions
0.*
0.8.7
0.8.9
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.9.1
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.11.0
0.11.1
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.15.3
0.15.90
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.17.0rc1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
2014.*
2014.1.0rc1
2014.1.0rc2
2014.1.0rc3
2014.1.0
2014.1.1
2014.1.2
2014.1.3
2014.1.4
2014.1.5
2014.1.6
2014.1.7
2014.1.8
2014.1.9
2014.1.10
2014.1.11
2014.1.12
2014.1.13
2014.7.0rc1
2014.7.0rc2
2014.7.0rc3
2014.7.0rc4
2014.7.0rc5
2014.7.0rc6
2014.7.0rc7
2014.7.0
2014.7.1
2014.7.2
2014.7.3
2014.7.4
2014.7.5
2014.7.6
2014.7.7
2015.*
2015.2.0rc1
2015.2.0rc2
2015.5.0
2015.5.1
2015.5.2
2015.5.3
2015.5.4
2015.5.5
2015.5.6
2015.5.7
2015.5.8
2015.5.9
2015.5.10
2015.5.11
2015.8.0rc1
2015.8.0rc2
2015.8.0rc3
2015.8.0rc4
2015.8.0rc5
2015.8.0
2015.8.1
2015.8.2
2015.8.3
2015.8.4
2015.8.5
2015.8.7
2015.8.8
2015.8.8.2
2015.8.9
2015.8.10
2015.8.11
2015.8.12
2015.8.13
2016.*
2016.3.0rc2
2016.3.0rc3
2016.3.0
2016.3.1
2016.3.2
2016.3.3
2016.3.4
2016.3.5
2016.3.6
2016.3.7
2016.3.8
2016.11.0rc1
2016.11.0rc2
2016.11.0
2016.11.1
2016.11.2
2016.11.3
2016.11.4
2016.11.5
2016.11.6
2016.11.7
2016.11.8
2016.11.9
2016.11.10
2017.*
2017.7.0rc1
2017.7.0
2017.7.1
2017.7.2
2017.7.3
2017.7.4
2017.7.5
2017.7.6
2017.7.7
2017.7.8
2018.*
2018.3.0rc1
2018.3.0
2018.3.1
2018.3.2
2018.3.3
2018.3.4
2018.3.5
2019.*
2019.2.0rc1
2019.2.0rc2
2019.2.0
2019.2.1
2019.2.2
2019.2.3
PyPI / salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt