Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-25592 (GCVE-0-2020-25592)
Vulnerability from cvelistv5 – Published: 2020-11-06 07:31 – Updated: 2024-08-04 15:33
VLAI
EPSS
Summary
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://docs.saltstack.com/en/latest/topics/relea… | x_refsource_MISC |
| https://www.saltstack.com/blog/on-november-3-2020… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://security.gentoo.org/glsa/202011-13 | vendor-advisoryx_refsource_GENTOO |
| http://packetstormsecurity.com/files/160039/SaltS… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2020… | mailing-listx_refsource_MLIST |
| https://www.debian.org/security/2021/dsa-4837 | vendor-advisoryx_refsource_DEBIAN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:33:05.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"name": "FEDORA-2020-9e040bd6dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"name": "openSUSE-SU-2020:1868",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"name": "GLSA-202011-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"name": "[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"name": "DSA-4837",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4837"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-24T23:06:07.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"name": "FEDORA-2020-9e040bd6dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"name": "openSUSE-SU-2020:1868",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"name": "GLSA-202011-13",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"name": "[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"name": "DSA-4837",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4837"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25592",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.saltstack.com/en/latest/topics/releases/index.html",
"refsource": "MISC",
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"name": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/",
"refsource": "CONFIRM",
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"name": "FEDORA-2020-9e040bd6dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"name": "openSUSE-SU-2020:1868",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"name": "GLSA-202011-13",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"name": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"name": "[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"name": "DSA-4837",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4837"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25592",
"datePublished": "2020-11-06T07:31:53.000Z",
"dateReserved": "2020-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:33:05.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-25592",
"date": "2026-05-30",
"epss": "0.44938",
"percentile": "0.97645"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-25592\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-11-06T08:15:13.503\",\"lastModified\":\"2024-11-21T05:18:10.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.\"},{\"lang\":\"es\",\"value\":\"En SaltStack Salt versiones hasta 3002, salt-netapi comprueba inapropiadamente credenciales y tokens de eauth.\u0026#xa0;Un usuario puede omitir la autenticaci\u00f3n e invocar Salt SSH\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2015.8.10\",\"matchCriteriaId\":\"0F9405E3-F2B0-41BA-A39D-61BB38475A59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2015.8.11\",\"versionEndExcluding\":\"2015.8.13\",\"matchCriteriaId\":\"A35C23D3-82D4-46E7-BF08-9229C04C0C3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.3.0\",\"versionEndExcluding\":\"2016.3.4\",\"matchCriteriaId\":\"B4741BD5-4C40-48BC-A2C1-E6AB33818201\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.3.5\",\"versionEndExcluding\":\"2016.3.6\",\"matchCriteriaId\":\"7D28A2B5-316A-45DC-AC85-A0F743C4B3C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.3.7\",\"versionEndExcluding\":\"2016.3.8\",\"matchCriteriaId\":\"17C96153-85C1-45DC-A48B-46A3900246E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.11.0\",\"versionEndExcluding\":\"2016.11.3\",\"matchCriteriaId\":\"B0A54497-D7E2-4A2C-9719-4D992B296498\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.11.4\",\"versionEndExcluding\":\"2016.11.6\",\"matchCriteriaId\":\"920C57AF-6E88-465A-83FA-AB947D4C6F0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2016.11.7\",\"versionEndExcluding\":\"2016.11.10\",\"matchCriteriaId\":\"11D84847-0C8A-473A-9186-46FABD7BB59A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2017.5.0\",\"versionEndExcluding\":\"2017.7.4\",\"matchCriteriaId\":\"C45ACC11-CA9B-4451-B6DD-BD784349CDE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2017.7.5\",\"versionEndExcluding\":\"2017.7.8\",\"matchCriteriaId\":\"BD998745-FA62-4894-A4FC-767F0DE131B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2018.2.0\",\"versionEndExcluding\":\"2018.3.5\",\"matchCriteriaId\":\"9747884A-8B29-42C9-BF5E-5B6D883A78E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2019.2.0\",\"versionEndExcluding\":\"2019.2.5\",\"matchCriteriaId\":\"F7A2912C-7F48-465D-B7F2-93ECD0D0CB74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3000.0\",\"versionEndExcluding\":\"3000.3\",\"matchCriteriaId\":\"D64191C4-C3D3-4615-B7D5-26ADA8BD7C7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"74CAD70E-E77C-4010-B224-CEE3968CB6A2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://docs.saltstack.com/en/latest/topics/releases/index.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.gentoo.org/glsa/202011-13\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4837\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://docs.saltstack.com/en/latest/topics/releases/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202011-13\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4837\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Title
Уязвимость компонента salt-netapi системы управления конфигурациями и удалённого выполнения операций Salt, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Description
Уязвимость компонента salt-netapi системы управления конфигурациями и удалённого выполнения операций Salt связана с недостаточной проверкой вводимых данных. Эксплуатация уязвимости позволяет нарушителю, действующему удаленно, получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity
Vendor
Сообщество свободного программного обеспечения, Novell Inc., Fedora Project, Red Hat Inc., SaltStack, Inc, АО «ИВК», АО "НППКТ"
Software Name
Debian GNU/Linux, OpenSUSE Leap, Fedora, Red Hat Ceph Storage, Salt, Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
9 (Debian GNU/Linux), 15.1 (OpenSUSE Leap), 10 (Debian GNU/Linux), 31 (Fedora), 2 (Red Hat Ceph Storage), до 3002 (Salt), - (Альт 8 СП), до 2.5 (ОСОН ОСнова Оnyx)
Possible Mitigations
Использование рекомендаций:
Для Salt:
Обновление программного обеспечения до 3002.5+dfsg1-1 или более поздней версии
Для Debian:
Обновление программного обеспечения (пакета salt) до 2016.11.2+ds-1+deb9u6 или более поздней версии
Для программных продуктов Novell Inc.:
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2020-25592
Для ОСОН ОСнова Оnyx:Обновление программного обеспечения salt до версии 2018.3.4+dfsg1-6+deb10u3
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства
Reference
https://access.redhat.com/security/cve/CVE-2020-25592
https://github.com/saltstack/salt/releases/tag/v3002
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
https://nvd.nist.gov/vuln/detail/CVE-2020-25592
https://security-tracker.debian.org/tracker/CVE-2020-25592
https://www.cvebase.com/cve/2020/25592
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.5/
https://altsp.su/obnovleniya-bezopasnosti/
CWE
CWE-20
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Fedora Project, Red Hat Inc., SaltStack, Inc, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 15.1 (OpenSUSE Leap), 10 (Debian GNU/Linux), 31 (Fedora), 2 (Red Hat Ceph Storage), \u0434\u043e 3002 (Salt), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.5 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Salt:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e 3002.5+dfsg1-1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Debian:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 salt) \u0434\u043e 2016.11.2+ds-1+deb9u6 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html\n\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2020-25592\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f salt \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2018.3.4+dfsg1-6+deb10u3\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.09.2020",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "16.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.04.2021",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-01900",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-25592",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, OpenSUSE Leap, Fedora, Red Hat Ceph Storage, Salt, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , Novell Inc. OpenSUSE Leap 15.1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Fedora Project Fedora 31 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.5 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 salt-netapi \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u043c\u0438 \u0438 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439 Salt, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 salt-netapi \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f\u043c\u0438 \u0438 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439 Salt \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://access.redhat.com/security/cve/CVE-2020-25592\nhttps://github.com/saltstack/salt/releases/tag/v3002\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/\nhttps://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25592\nhttps://security-tracker.debian.org/tracker/CVE-2020-25592\nhttps://www.cvebase.com/cve/2020/25592\nhttps://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.5/\nhttps://altsp.su/obnovleniya-bezopasnosti/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}
CERTFR-2020-AVI-712
Vulnerability from certfr_avis - Published: 2020-11-04 - Updated: 2020-11-23
De multiples vulnérabilités ont été découvertes dans SaltStack. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | SaltStack 3001.x sans le dernier package de sécurité | ||
| N/A | N/A | SaltStack 3000.x sans le dernier package de sécurité | ||
| N/A | N/A | SaltStack 2019.x sans le dernier package de sécurité | ||
| N/A | N/A | SaltStack 2016.11.3, 2016.11.6, 2016.11.10 sans le dernier patch | ||
| N/A | N/A | SaltStack 2015.8.10, 2015.8.13 sans le dernier patch | ||
| N/A | N/A | SaltStack 2018.3.5 sans le dernier patch | ||
| N/A | N/A | SaltStack 2017.7.4, 2017.7.8 sans le dernier patch | ||
| N/A | N/A | SaltStack 2016.3.4, 2016.3.6, 2016.3.8 sans le dernier patch | ||
| N/A | N/A | SaltStack 3002.x sans le dernier package de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SaltStack 3001.x sans le dernier package de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 3000.x sans le dernier package de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2019.x sans le dernier package de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2016.11.3, 2016.11.6, 2016.11.10 sans le dernier patch",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2015.8.10, 2015.8.13 sans le dernier patch",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2018.3.5 sans le dernier patch",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2017.7.4, 2017.7.8 sans le dernier patch",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 2016.3.4, 2016.3.6, 2016.3.8 sans le dernier patch",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "SaltStack 3002.x sans le dernier package de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-25592",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25592"
},
{
"name": "CVE-2020-17490",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17490"
},
{
"name": "CVE-2020-16846",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16846"
}
],
"initial_release_date": "2020-11-04T00:00:00",
"last_revision_date": "2020-11-23T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-712",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-11-04T00:00:00.000000"
},
{
"description": "Correction d\u0027une coquille dans la source.",
"revision_date": "2020-11-23T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans SaltStack. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans SaltStack",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 SaltStack du 03 novembre 2020",
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
}
]
}
Title
SaltStack Salt API任意代码执行漏洞
Description
SaltStack Salt是SaltStack公司的一套开源的用于管理基础架构的工具。
SaltStack Salt API存在输入验证漏洞,远程攻击者可以利用该漏洞提交特殊的请求,可未授权访问任意代码。
Severity
高
Patch Name
SaltStack Salt API任意代码执行漏洞的补丁
Patch Description
SaltStack Salt是SaltStack公司的一套开源的用于管理基础架构的工具。
SaltStack Salt API存在输入验证漏洞,远程攻击者可以利用该漏洞提交特殊的请求,可未授权访问任意代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://gitlab.com/saltstack/open/salt-patches/-/commit/a8b998ae07dbf752cbd6a1d1cdcdcc366bffb04e
Reference
https://www.auscert.org.au/bulletins/ESB-2020.3863/
Impacted products
| Name | SaltStack Salt |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-25592",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-25592"
}
},
"description": "SaltStack Salt\u662fSaltStack\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u7528\u4e8e\u7ba1\u7406\u57fa\u7840\u67b6\u6784\u7684\u5de5\u5177\u3002\n\nSaltStack Salt API\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u672a\u6388\u6743\u8bbf\u95ee\u4efb\u610f\u4ee3\u7801\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://gitlab.com/saltstack/open/salt-patches/-/commit/a8b998ae07dbf752cbd6a1d1cdcdcc366bffb04e",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-64309",
"openTime": "2020-11-19",
"patchDescription": "SaltStack Salt\u662fSaltStack\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u7528\u4e8e\u7ba1\u7406\u57fa\u7840\u67b6\u6784\u7684\u5de5\u5177\u3002\r\n\r\nSaltStack Salt API\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u672a\u6388\u6743\u8bbf\u95ee\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "SaltStack Salt API\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "SaltStack Salt"
},
"referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.3863/",
"serverity": "\u9ad8",
"submitTime": "2020-11-09",
"title": "SaltStack Salt API\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}
FKIE_CVE-2020-25592
Vulnerability from fkie_nvd - Published: 2020-11-06 08:15 - Updated: 2024-11-21 05:18
Severity
Summary
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | * | |
| saltstack | salt | 3001 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F9405E3-F2B0-41BA-A39D-61BB38475A59",
"versionEndExcluding": "2015.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A35C23D3-82D4-46E7-BF08-9229C04C0C3D",
"versionEndExcluding": "2015.8.13",
"versionStartIncluding": "2015.8.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4741BD5-4C40-48BC-A2C1-E6AB33818201",
"versionEndExcluding": "2016.3.4",
"versionStartIncluding": "2016.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D28A2B5-316A-45DC-AC85-A0F743C4B3C4",
"versionEndExcluding": "2016.3.6",
"versionStartIncluding": "2016.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17C96153-85C1-45DC-A48B-46A3900246E2",
"versionEndExcluding": "2016.3.8",
"versionStartIncluding": "2016.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0A54497-D7E2-4A2C-9719-4D992B296498",
"versionEndExcluding": "2016.11.3",
"versionStartIncluding": "2016.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "920C57AF-6E88-465A-83FA-AB947D4C6F0B",
"versionEndExcluding": "2016.11.6",
"versionStartIncluding": "2016.11.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11D84847-0C8A-473A-9186-46FABD7BB59A",
"versionEndExcluding": "2016.11.10",
"versionStartIncluding": "2016.11.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C45ACC11-CA9B-4451-B6DD-BD784349CDE8",
"versionEndExcluding": "2017.7.4",
"versionStartIncluding": "2017.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD998745-FA62-4894-A4FC-767F0DE131B9",
"versionEndExcluding": "2017.7.8",
"versionStartIncluding": "2017.7.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9747884A-8B29-42C9-BF5E-5B6D883A78E3",
"versionEndExcluding": "2018.3.5",
"versionStartIncluding": "2018.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7A2912C-7F48-465D-B7F2-93ECD0D0CB74",
"versionEndExcluding": "2019.2.5",
"versionStartIncluding": "2019.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D64191C4-C3D3-4615-B7D5-26ADA8BD7C7B",
"versionEndExcluding": "3000.3",
"versionStartIncluding": "3000.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*",
"matchCriteriaId": "74CAD70E-E77C-4010-B224-CEE3968CB6A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH."
},
{
"lang": "es",
"value": "En SaltStack Salt versiones hasta 3002, salt-netapi comprueba inapropiadamente credenciales y tokens de eauth.\u0026#xa0;Un usuario puede omitir la autenticaci\u00f3n e invocar Salt SSH"
}
],
"id": "CVE-2020-25592",
"lastModified": "2024-11-21T05:18:10.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-06T08:15:13.503",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4837"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4837"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-29J3-2446-5J4W
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2024-10-22 14:52
VLAI
Summary
SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi
Details
In SaltStack the salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2015.8.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "2016.3.0"
},
{
"fixed": "2016.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "2016.11.0"
},
{
"fixed": "2016.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "2017.5.0"
},
{
"fixed": "2017.7.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "2018.2.0"
},
{
"fixed": "2018.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "2019.2.0"
},
{
"fixed": "2019.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "3000.0"
},
{
"fixed": "3000.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "3001.0"
},
{
"fixed": "3001.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "salt"
},
"ranges": [
{
"events": [
{
"introduced": "3002.0"
},
{
"fixed": "3002.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25592"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:23:17Z",
"nvd_published_at": "2020-11-06T08:15:00Z",
"severity": "CRITICAL"
},
"details": "In SaltStack the salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"id": "GHSA-29j3-2446-5j4w",
"modified": "2024-10-22T14:52:20Z",
"published": "2022-05-24T17:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25592"
},
{
"type": "WEB",
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-106.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/saltstack/salt"
},
{
"type": "WEB",
"url": "https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/2019.2.7.rst#L12"
},
{
"type": "WEB",
"url": "https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.5.rst#L12"
},
{
"type": "WEB",
"url": "https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.3.rst#L12"
},
{
"type": "WEB",
"url": "https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.1.rst#L14"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4837"
},
{
"type": "WEB",
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi"
}
GSD-2020-25592
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-25592",
"description": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"id": "GSD-2020-25592",
"references": [
"https://www.suse.com/security/cve/CVE-2020-25592.html",
"https://www.debian.org/security/2021/dsa-4837",
"https://security.archlinux.org/CVE-2020-25592",
"https://packetstormsecurity.com/files/cve/CVE-2020-25592"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-25592"
],
"details": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"id": "GSD-2020-25592",
"modified": "2023-12-13T01:21:56.981667Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25592",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.saltstack.com/en/latest/topics/releases/index.html",
"refsource": "MISC",
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"name": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/",
"refsource": "CONFIRM",
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"name": "FEDORA-2020-9e040bd6dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"name": "openSUSE-SU-2020:1868",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"name": "GLSA-202011-13",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"name": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"name": "[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"name": "DSA-4837",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4837"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2015.8.13||\u003e=2016.3.0,\u003c2016.3.8||\u003e=2016.11.0,\u003c2016.11.10|| \u003e=2017.5.0,\u003c2017.7.8||\u003e=2018.2.0,\u003c2018.3.5||\u003e=2019.2.0,\u003c2019.2.5|| \u003e=3000.0,\u003c3000.3||==3001",
"affected_versions": "All versions before 2015.8.13, all versions starting from 2016.3.0 before 2016.3.8, all versions starting from 2016.11.0 before 2016.11.10, all versions starting from 2017.5.0 before 2017.7.8, all versions starting from 2018.2.0 before 2018.3.5, all versions starting from 2019.2.0 before 2019.2.5, all versions starting from 3000.0 before 3000.3, version 3001",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2021-07-21",
"description": "In SaltStack Salt, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"fixed_versions": [
"2015.8.13",
"2016.3.8",
"2016.11.10",
"2017.7.8",
"2018.3.5",
"2019.2.5",
"3000.3",
"3001.1"
],
"identifier": "CVE-2020-25592",
"identifiers": [
"CVE-2020-25592"
],
"not_impacted": "All versions starting from 2015.8.13 before 2016.3.0, all versions starting from 2016.3.8 before 2016.11.0, all versions starting from 2016.11.10 before 2017.5.0, all versions starting from 2017.7.8 before 2018.2.0, all versions starting from 2018.3.5 before 2019.2.0, all versions starting from 2019.2.5 before 3000.0, all versions starting from 3000.3 before 3001, all versions after 3001",
"package_slug": "pypi/salt",
"pubdate": "2020-11-06",
"solution": "Upgrade to versions 2015.8.13, 2016.3.8, 2016.11.10, 2017.7.8, 2018.3.5, 2019.2.5, 3000.3, 3001.1 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-25592",
"https://docs.saltstack.com/en/latest/topics/releases/index.html",
"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
],
"uuid": "e861edd2-03f5-4f28-80f5-98de921a1452"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2015.8.10",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2015.8.13",
"versionStartIncluding": "2015.8.11",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.3.4",
"versionStartIncluding": "2016.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.3.6",
"versionStartIncluding": "2016.3.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.3.8",
"versionStartIncluding": "2016.3.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.11.3",
"versionStartIncluding": "2016.11.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.11.6",
"versionStartIncluding": "2016.11.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2016.11.10",
"versionStartIncluding": "2016.11.7",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2017.7.4",
"versionStartIncluding": "2017.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2017.7.8",
"versionStartIncluding": "2017.7.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2018.3.5",
"versionStartIncluding": "2018.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2019.2.5",
"versionStartIncluding": "2019.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3000.3",
"versionStartIncluding": "3000.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25592"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.saltstack.com/en/latest/topics/releases/index.html",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.saltstack.com/en/latest/topics/releases/index.html"
},
{
"name": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"
},
{
"name": "FEDORA-2020-9e040bd6dd",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"
},
{
"name": "openSUSE-SU-2020:1868",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"
},
{
"name": "GLSA-202011-13",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202011-13"
},
{
"name": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"
},
{
"name": "[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"
},
{
"name": "DSA-4837",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4837"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-07-21T11:39Z",
"publishedDate": "2020-11-06T08:15Z"
}
}
}
OPENSUSE-SU-2020:1833-1
Vulnerability from csaf_opensuse - Published: 2020-11-05 13:34 - Updated: 2020-11-05 13:34Summary
Security update for salt
Severity
Critical
Notes
Title of the patch: Security update for salt
Description of the patch: This update for salt fixes the following issues:
- Properly validate eauth credentials and tokens on SSH calls made by Salt API
(bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)
- Fix disk.blkid to avoid unexpected keyword argument '__pub_user'. (bsc#1177867)
- Ensure virt.update stop_on_reboot is updated with its default value.
- Do not break package building for systemd OSes.
- Drop wrong mock from chroot unit test.
- Support systemd versions with dot. (bsc#1176294)
- Fix for grains.test_core unit test.
- Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024)
- Several changes to virtualization:
* Fix virt update when cpu and memory are changed.
* Memory Tuning GSoC.
* Properly fix memory setting regression in virt.update.
* Expose libvirt on_reboot in virt states.
- Support transactional systems (MicroOS).
- zypperpkg module ignores retcode 104 for search(). (bsc#1159670)
- Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding
file or block disk. (bsc#1175987)
- Invalidate file list cache when cache file modified time is in the future. (bsc#1176397)
- Prevent import errors when running test_btrfs unit tests.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames: openSUSE-2020-1833
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
6.2 (Medium)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for salt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for salt fixes the following issues:\n\n- Properly validate eauth credentials and tokens on SSH calls made by Salt API \n (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)\n- Fix disk.blkid to avoid unexpected keyword argument \u0027__pub_user\u0027. (bsc#1177867)\n- Ensure virt.update stop_on_reboot is updated with its default value.\n- Do not break package building for systemd OSes.\n- Drop wrong mock from chroot unit test.\n- Support systemd versions with dot. (bsc#1176294)\n- Fix for grains.test_core unit test.\n- Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024)\n- Several changes to virtualization:\n * Fix virt update when cpu and memory are changed.\n * Memory Tuning GSoC.\n * Properly fix memory setting regression in virt.update.\n * Expose libvirt on_reboot in virt states.\n- Support transactional systems (MicroOS).\n- zypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n- Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding\n file or block disk. (bsc#1175987)\n- Invalidate file list cache when cache file modified time is in the future. (bsc#1176397)\n- Prevent import errors when running test_btrfs unit tests.\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1833",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1833-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1833-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2W22H3YLCTB3S3UBN7YRWYRBMUPL5V5B/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1833-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2W22H3YLCTB3S3UBN7YRWYRBMUPL5V5B/"
},
{
"category": "self",
"summary": "SUSE Bug 1159670",
"url": "https://bugzilla.suse.com/1159670"
},
{
"category": "self",
"summary": "SUSE Bug 1175987",
"url": "https://bugzilla.suse.com/1175987"
},
{
"category": "self",
"summary": "SUSE Bug 1176024",
"url": "https://bugzilla.suse.com/1176024"
},
{
"category": "self",
"summary": "SUSE Bug 1176294",
"url": "https://bugzilla.suse.com/1176294"
},
{
"category": "self",
"summary": "SUSE Bug 1176397",
"url": "https://bugzilla.suse.com/1176397"
},
{
"category": "self",
"summary": "SUSE Bug 1177867",
"url": "https://bugzilla.suse.com/1177867"
},
{
"category": "self",
"summary": "SUSE Bug 1178319",
"url": "https://bugzilla.suse.com/1178319"
},
{
"category": "self",
"summary": "SUSE Bug 1178361",
"url": "https://bugzilla.suse.com/1178361"
},
{
"category": "self",
"summary": "SUSE Bug 1178362",
"url": "https://bugzilla.suse.com/1178362"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-16846 page",
"url": "https://www.suse.com/security/cve/CVE-2020-16846/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-17490 page",
"url": "https://www.suse.com/security/cve/CVE-2020-17490/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25592 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25592/"
}
],
"title": "Security update for salt",
"tracking": {
"current_release_date": "2020-11-05T13:34:46Z",
"generator": {
"date": "2020-11-05T13:34:46Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1833-1",
"initial_release_date": "2020-11-05T13:34:46Z",
"revision_history": [
{
"date": "2020-11-05T13:34:46Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "salt-bash-completion-3000-lp152.3.15.1.noarch",
"product": {
"name": "salt-bash-completion-3000-lp152.3.15.1.noarch",
"product_id": "salt-bash-completion-3000-lp152.3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-fish-completion-3000-lp152.3.15.1.noarch",
"product": {
"name": "salt-fish-completion-3000-lp152.3.15.1.noarch",
"product_id": "salt-fish-completion-3000-lp152.3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-zsh-completion-3000-lp152.3.15.1.noarch",
"product": {
"name": "salt-zsh-completion-3000-lp152.3.15.1.noarch",
"product_id": "salt-zsh-completion-3000-lp152.3.15.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-salt-3000-lp152.3.15.1.x86_64",
"product": {
"name": "python2-salt-3000-lp152.3.15.1.x86_64",
"product_id": "python2-salt-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-salt-3000-lp152.3.15.1.x86_64",
"product": {
"name": "python3-salt-3000-lp152.3.15.1.x86_64",
"product_id": "python3-salt-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-3000-lp152.3.15.1.x86_64",
"product_id": "salt-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-api-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-api-3000-lp152.3.15.1.x86_64",
"product_id": "salt-api-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-cloud-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-cloud-3000-lp152.3.15.1.x86_64",
"product_id": "salt-cloud-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-doc-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-doc-3000-lp152.3.15.1.x86_64",
"product_id": "salt-doc-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-master-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-master-3000-lp152.3.15.1.x86_64",
"product_id": "salt-master-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-minion-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-minion-3000-lp152.3.15.1.x86_64",
"product_id": "salt-minion-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-proxy-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-proxy-3000-lp152.3.15.1.x86_64",
"product_id": "salt-proxy-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-ssh-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-ssh-3000-lp152.3.15.1.x86_64",
"product_id": "salt-ssh-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"product_id": "salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-syndic-3000-lp152.3.15.1.x86_64",
"product": {
"name": "salt-syndic-3000-lp152.3.15.1.x86_64",
"product_id": "salt-syndic-3000-lp152.3.15.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-salt-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64"
},
"product_reference": "python2-salt-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-salt-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64"
},
"product_reference": "python3-salt-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-api-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-api-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-bash-completion-3000-lp152.3.15.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch"
},
"product_reference": "salt-bash-completion-3000-lp152.3.15.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-cloud-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-cloud-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-doc-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-doc-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-fish-completion-3000-lp152.3.15.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch"
},
"product_reference": "salt-fish-completion-3000-lp152.3.15.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-master-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-master-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-minion-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-minion-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-proxy-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-proxy-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-ssh-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-ssh-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-syndic-3000-lp152.3.15.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64"
},
"product_reference": "salt-syndic-3000-lp152.3.15.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-zsh-completion-3000-lp152.3.15.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
},
"product_reference": "salt-zsh-completion-3000-lp152.3.15.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-16846",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-16846"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-16846",
"url": "https://www.suse.com/security/cve/CVE-2020-16846"
},
{
"category": "external",
"summary": "SUSE Bug 1178361 for CVE-2020-16846",
"url": "https://bugzilla.suse.com/1178361"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-05T13:34:46Z",
"details": "critical"
}
],
"title": "CVE-2020-16846"
},
{
"cve": "CVE-2020-17490",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-17490"
}
],
"notes": [
{
"category": "general",
"text": "The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-17490",
"url": "https://www.suse.com/security/cve/CVE-2020-17490"
},
{
"category": "external",
"summary": "SUSE Bug 1178362 for CVE-2020-17490",
"url": "https://bugzilla.suse.com/1178362"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-05T13:34:46Z",
"details": "moderate"
}
],
"title": "CVE-2020-17490"
},
{
"cve": "CVE-2020-25592",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25592"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25592",
"url": "https://www.suse.com/security/cve/CVE-2020-25592"
},
{
"category": "external",
"summary": "SUSE Bug 1178319 for CVE-2020-25592",
"url": "https://bugzilla.suse.com/1178319"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:python3-salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-api-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3000-lp152.3.15.1.noarch",
"openSUSE Leap 15.2:salt-master-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3000-lp152.3.15.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3000-lp152.3.15.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-05T13:34:46Z",
"details": "critical"
}
],
"title": "CVE-2020-25592"
}
]
}
OPENSUSE-SU-2020:1868-1
Vulnerability from csaf_opensuse - Published: 2020-11-07 09:55 - Updated: 2020-11-07 09:55Summary
Security update for salt
Severity
Critical
Notes
Title of the patch: Security update for salt
Description of the patch: This update for salt fixes the following issues:
- Avoid regression on 'salt-master': set passphrase for salt-ssh keys to empty string (bsc#1178485)
- Properly validate eauth credentials and tokens on SSH calls made by Salt API
(bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)
- Fix disk.blkid to avoid unexpected keyword argument '__pub_user'. (bsc#1177867)
- Ensure virt.update stop_on_reboot is updated with its default value.
- Do not break package building for systemd OSes.
- Drop wrong mock from chroot unit test.
- Support systemd versions with dot. (bsc#1176294)
- Fix for grains.test_core unit test.
- Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024)
- Several changes to virtualization:
* Fix virt update when cpu and memory are changed.
* Memory Tuning GSoC.
* Properly fix memory setting regression in virt.update.
* Expose libvirt on_reboot in virt states.
- Support transactional systems (MicroOS).
- zypperpkg module ignores retcode 104 for search(). (bsc#1159670)
- Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk. (bsc#1175987)
- Invalidate file list cache when cache file modified time is in the future. (bsc#1176397)
- Prevent import errors when running test_btrfs unit tests
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2020-1868
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
6.2 (Medium)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
References
23 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for salt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for salt fixes the following issues:\n\n- Avoid regression on \u0027salt-master\u0027: set passphrase for salt-ssh keys to empty string (bsc#1178485)\n- Properly validate eauth credentials and tokens on SSH calls made by Salt API \n (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)\n- Fix disk.blkid to avoid unexpected keyword argument \u0027__pub_user\u0027. (bsc#1177867)\n- Ensure virt.update stop_on_reboot is updated with its default value.\n- Do not break package building for systemd OSes.\n- Drop wrong mock from chroot unit test.\n- Support systemd versions with dot. (bsc#1176294)\n- Fix for grains.test_core unit test.\n- Fix file/directory user and group ownership containing UTF-8 characters. (bsc#1176024)\n- Several changes to virtualization:\n * Fix virt update when cpu and memory are changed.\n * Memory Tuning GSoC.\n * Properly fix memory setting regression in virt.update.\n * Expose libvirt on_reboot in virt states.\n- Support transactional systems (MicroOS).\n- zypperpkg module ignores retcode 104 for search(). (bsc#1159670)\n- Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk. (bsc#1175987)\n- Invalidate file list cache when cache file modified time is in the future. (bsc#1176397)\n- Prevent import errors when running test_btrfs unit tests\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1868",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1868-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1868-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MB6DQ7QYY2NFKZFWBCHEOJR44RYJQMSN/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1868-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MB6DQ7QYY2NFKZFWBCHEOJR44RYJQMSN/"
},
{
"category": "self",
"summary": "SUSE Bug 1159670",
"url": "https://bugzilla.suse.com/1159670"
},
{
"category": "self",
"summary": "SUSE Bug 1175987",
"url": "https://bugzilla.suse.com/1175987"
},
{
"category": "self",
"summary": "SUSE Bug 1176024",
"url": "https://bugzilla.suse.com/1176024"
},
{
"category": "self",
"summary": "SUSE Bug 1176294",
"url": "https://bugzilla.suse.com/1176294"
},
{
"category": "self",
"summary": "SUSE Bug 1176397",
"url": "https://bugzilla.suse.com/1176397"
},
{
"category": "self",
"summary": "SUSE Bug 1177867",
"url": "https://bugzilla.suse.com/1177867"
},
{
"category": "self",
"summary": "SUSE Bug 1178319",
"url": "https://bugzilla.suse.com/1178319"
},
{
"category": "self",
"summary": "SUSE Bug 1178361",
"url": "https://bugzilla.suse.com/1178361"
},
{
"category": "self",
"summary": "SUSE Bug 1178362",
"url": "https://bugzilla.suse.com/1178362"
},
{
"category": "self",
"summary": "SUSE Bug 1178485",
"url": "https://bugzilla.suse.com/1178485"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-16846 page",
"url": "https://www.suse.com/security/cve/CVE-2020-16846/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-17490 page",
"url": "https://www.suse.com/security/cve/CVE-2020-17490/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25592 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25592/"
}
],
"title": "Security update for salt",
"tracking": {
"current_release_date": "2020-11-07T09:55:37Z",
"generator": {
"date": "2020-11-07T09:55:37Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1868-1",
"initial_release_date": "2020-11-07T09:55:37Z",
"revision_history": [
{
"date": "2020-11-07T09:55:37Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "salt-bash-completion-3000-lp151.5.30.1.noarch",
"product": {
"name": "salt-bash-completion-3000-lp151.5.30.1.noarch",
"product_id": "salt-bash-completion-3000-lp151.5.30.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-fish-completion-3000-lp151.5.30.1.noarch",
"product": {
"name": "salt-fish-completion-3000-lp151.5.30.1.noarch",
"product_id": "salt-fish-completion-3000-lp151.5.30.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-zsh-completion-3000-lp151.5.30.1.noarch",
"product": {
"name": "salt-zsh-completion-3000-lp151.5.30.1.noarch",
"product_id": "salt-zsh-completion-3000-lp151.5.30.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-salt-3000-lp151.5.30.1.x86_64",
"product": {
"name": "python2-salt-3000-lp151.5.30.1.x86_64",
"product_id": "python2-salt-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-salt-3000-lp151.5.30.1.x86_64",
"product": {
"name": "python3-salt-3000-lp151.5.30.1.x86_64",
"product_id": "python3-salt-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-3000-lp151.5.30.1.x86_64",
"product_id": "salt-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-api-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-api-3000-lp151.5.30.1.x86_64",
"product_id": "salt-api-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-cloud-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-cloud-3000-lp151.5.30.1.x86_64",
"product_id": "salt-cloud-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-doc-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-doc-3000-lp151.5.30.1.x86_64",
"product_id": "salt-doc-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-master-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-master-3000-lp151.5.30.1.x86_64",
"product_id": "salt-master-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-minion-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-minion-3000-lp151.5.30.1.x86_64",
"product_id": "salt-minion-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-proxy-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-proxy-3000-lp151.5.30.1.x86_64",
"product_id": "salt-proxy-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-ssh-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-ssh-3000-lp151.5.30.1.x86_64",
"product_id": "salt-ssh-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"product_id": "salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-syndic-3000-lp151.5.30.1.x86_64",
"product": {
"name": "salt-syndic-3000-lp151.5.30.1.x86_64",
"product_id": "salt-syndic-3000-lp151.5.30.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-salt-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64"
},
"product_reference": "python2-salt-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-salt-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64"
},
"product_reference": "python3-salt-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-api-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-api-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-bash-completion-3000-lp151.5.30.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch"
},
"product_reference": "salt-bash-completion-3000-lp151.5.30.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-cloud-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-cloud-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-doc-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-doc-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-fish-completion-3000-lp151.5.30.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch"
},
"product_reference": "salt-fish-completion-3000-lp151.5.30.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-master-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-master-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-minion-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-minion-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-proxy-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-proxy-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-ssh-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-ssh-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-syndic-3000-lp151.5.30.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64"
},
"product_reference": "salt-syndic-3000-lp151.5.30.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-zsh-completion-3000-lp151.5.30.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
},
"product_reference": "salt-zsh-completion-3000-lp151.5.30.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-16846",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-16846"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-16846",
"url": "https://www.suse.com/security/cve/CVE-2020-16846"
},
{
"category": "external",
"summary": "SUSE Bug 1178361 for CVE-2020-16846",
"url": "https://bugzilla.suse.com/1178361"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-07T09:55:37Z",
"details": "critical"
}
],
"title": "CVE-2020-16846"
},
{
"cve": "CVE-2020-17490",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-17490"
}
],
"notes": [
{
"category": "general",
"text": "The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-17490",
"url": "https://www.suse.com/security/cve/CVE-2020-17490"
},
{
"category": "external",
"summary": "SUSE Bug 1178362 for CVE-2020-17490",
"url": "https://bugzilla.suse.com/1178362"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-07T09:55:37Z",
"details": "moderate"
}
],
"title": "CVE-2020-17490"
},
{
"cve": "CVE-2020-25592",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25592"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25592",
"url": "https://www.suse.com/security/cve/CVE-2020-25592"
},
{
"category": "external",
"summary": "SUSE Bug 1178319 for CVE-2020-25592",
"url": "https://bugzilla.suse.com/1178319"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:python2-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:python3-salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-api-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-bash-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-cloud-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-doc-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-fish-completion-3000-lp151.5.30.1.noarch",
"openSUSE Leap 15.1:salt-master-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-minion-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-proxy-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-ssh-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-standalone-formulas-configuration-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-syndic-3000-lp151.5.30.1.x86_64",
"openSUSE Leap 15.1:salt-zsh-completion-3000-lp151.5.30.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-11-07T09:55:37Z",
"details": "critical"
}
],
"title": "CVE-2020-25592"
}
]
}
OPENSUSE-SU-2021:0899-1
Vulnerability from csaf_opensuse - Published: 2021-06-23 12:34 - Updated: 2021-06-23 12:34Summary
Security update for salt
Severity
Critical
Notes
Title of the patch: Security update for salt
Description of the patch: This update for salt fixes the following issues:
Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)
- Check if dpkgnotify is executable (bsc#1186674)
- Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)
- virt module updates
* network: handle missing ipv4 netmask attribute
* more network support
* PCI/USB host devices passthrough support
- Set distro requirement to oldest supported version in requirements/base.txt
- Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)
- Always require `python3-distro` (bsc#1182293)
- Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing
- Fix pkg states when DEB package has 'all' arch
- Do not force beacons configuration to be a list.
- Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
- msgpack support for version >= 1.0.0 (bsc#1171257)
- Fix issue parsing errors in ansiblegate state module
- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
- transactional_update: detect recursion in the executor
- Add subpackage salt-transactional-update (jsc#SLE-18033)
- Improvements on 'ansiblegate' module (bsc#1185092):
* New methods: ansible.targets / ansible.discover_playbooks
- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
- Regression fix of salt-ssh on processing targets
- Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)
- Add notify beacon for Debian/Ubuntu systems
- Fix zmq bug that causes salt-call to freeze (bsc#1181368)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames: openSUSE-2021-899
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.7 (High)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
7.2 (High)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
37 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for salt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for salt fixes the following issues:\n\nUpdate to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) \n\n- Check if dpkgnotify is executable (bsc#1186674)\n- Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)\n- virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n- Set distro requirement to oldest supported version in requirements/base.txt\n- Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)\n- Always require `python3-distro` (bsc#1182293)\n- Remove deprecated warning that breaks minion execution when \u0027server_id_use_crc\u0027 opts is missing\n- Fix pkg states when DEB package has \u0027all\u0027 arch\n- Do not force beacons configuration to be a list.\n- Remove msgpack \u003c 1.0.0 from base requirements (bsc#1176293)\n- msgpack support for version \u003e= 1.0.0 (bsc#1171257)\n- Fix issue parsing errors in ansiblegate state module\n- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)\n- transactional_update: detect recursion in the executor\n- Add subpackage salt-transactional-update (jsc#SLE-18033)\n- Improvements on \u0027ansiblegate\u0027 module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n- Regression fix of salt-ssh on processing targets\n- Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)\n- Add notify beacon for Debian/Ubuntu systems\n- Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-899",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0899-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0899-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6E3YAO2VV3WBUS7PMAT26ZYDS3AXW5VL/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0899-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6E3YAO2VV3WBUS7PMAT26ZYDS3AXW5VL/"
},
{
"category": "self",
"summary": "SUSE Bug 1171257",
"url": "https://bugzilla.suse.com/1171257"
},
{
"category": "self",
"summary": "SUSE Bug 1176293",
"url": "https://bugzilla.suse.com/1176293"
},
{
"category": "self",
"summary": "SUSE Bug 1179831",
"url": "https://bugzilla.suse.com/1179831"
},
{
"category": "self",
"summary": "SUSE Bug 1181368",
"url": "https://bugzilla.suse.com/1181368"
},
{
"category": "self",
"summary": "SUSE Bug 1182281",
"url": "https://bugzilla.suse.com/1182281"
},
{
"category": "self",
"summary": "SUSE Bug 1182293",
"url": "https://bugzilla.suse.com/1182293"
},
{
"category": "self",
"summary": "SUSE Bug 1182382",
"url": "https://bugzilla.suse.com/1182382"
},
{
"category": "self",
"summary": "SUSE Bug 1185092",
"url": "https://bugzilla.suse.com/1185092"
},
{
"category": "self",
"summary": "SUSE Bug 1185281",
"url": "https://bugzilla.suse.com/1185281"
},
{
"category": "self",
"summary": "SUSE Bug 1186674",
"url": "https://bugzilla.suse.com/1186674"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-15750 page",
"url": "https://www.suse.com/security/cve/CVE-2018-15750/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-15751 page",
"url": "https://www.suse.com/security/cve/CVE-2018-15751/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11651 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11651/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11652 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11652/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25592 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25592/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-25315 page",
"url": "https://www.suse.com/security/cve/CVE-2021-25315/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-31607 page",
"url": "https://www.suse.com/security/cve/CVE-2021-31607/"
}
],
"title": "Security update for salt",
"tracking": {
"current_release_date": "2021-06-23T12:34:14Z",
"generator": {
"date": "2021-06-23T12:34:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0899-1",
"initial_release_date": "2021-06-23T12:34:14Z",
"revision_history": [
{
"date": "2021-06-23T12:34:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"product": {
"name": "salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"product_id": "salt-bash-completion-3002.2-lp152.3.36.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"product": {
"name": "salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"product_id": "salt-fish-completion-3002.2-lp152.3.36.1.noarch"
}
},
{
"category": "product_version",
"name": "salt-zsh-completion-3002.2-lp152.3.36.1.noarch",
"product": {
"name": "salt-zsh-completion-3002.2-lp152.3.36.1.noarch",
"product_id": "salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-salt-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "python3-salt-3002.2-lp152.3.36.1.x86_64",
"product_id": "python3-salt-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-api-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-api-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-api-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-cloud-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-cloud-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-cloud-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-doc-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-doc-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-doc-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-master-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-master-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-master-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-minion-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-minion-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-minion-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-proxy-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-proxy-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-proxy-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-ssh-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-ssh-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-ssh-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-syndic-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-syndic-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-syndic-3002.2-lp152.3.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"product": {
"name": "salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"product_id": "salt-transactional-update-3002.2-lp152.3.36.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-salt-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "python3-salt-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-api-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-api-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-bash-completion-3002.2-lp152.3.36.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch"
},
"product_reference": "salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-cloud-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-cloud-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-doc-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-doc-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-fish-completion-3002.2-lp152.3.36.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch"
},
"product_reference": "salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-master-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-master-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-minion-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-minion-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-proxy-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-proxy-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-ssh-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-ssh-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-syndic-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-syndic-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-transactional-update-3002.2-lp152.3.36.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64"
},
"product_reference": "salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "salt-zsh-completion-3002.2-lp152.3.36.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
},
"product_reference": "salt-zsh-completion-3002.2-lp152.3.36.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-15750",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-15750"
}
],
"notes": [
{
"category": "general",
"text": "Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-15750",
"url": "https://www.suse.com/security/cve/CVE-2018-15750"
},
{
"category": "external",
"summary": "SUSE Bug 1113698 for CVE-2018-15750",
"url": "https://bugzilla.suse.com/1113698"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "moderate"
}
],
"title": "CVE-2018-15750"
},
{
"cve": "CVE-2018-15751",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-15751"
}
],
"notes": [
{
"category": "general",
"text": "SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-15751",
"url": "https://www.suse.com/security/cve/CVE-2018-15751"
},
{
"category": "external",
"summary": "SUSE Bug 1113698 for CVE-2018-15751",
"url": "https://bugzilla.suse.com/1113698"
},
{
"category": "external",
"summary": "SUSE Bug 1113699 for CVE-2018-15751",
"url": "https://bugzilla.suse.com/1113699"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "moderate"
}
],
"title": "CVE-2018-15751"
},
{
"cve": "CVE-2020-11651",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11651"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11651",
"url": "https://www.suse.com/security/cve/CVE-2020-11651"
},
{
"category": "external",
"summary": "SUSE Bug 1170595 for CVE-2020-11651",
"url": "https://bugzilla.suse.com/1170595"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "critical"
}
],
"title": "CVE-2020-11651"
},
{
"cve": "CVE-2020-11652",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11652"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11652",
"url": "https://www.suse.com/security/cve/CVE-2020-11652"
},
{
"category": "external",
"summary": "SUSE Bug 1170595 for CVE-2020-11652",
"url": "https://bugzilla.suse.com/1170595"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "critical"
}
],
"title": "CVE-2020-11652"
},
{
"cve": "CVE-2020-25592",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25592"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25592",
"url": "https://www.suse.com/security/cve/CVE-2020-25592"
},
{
"category": "external",
"summary": "SUSE Bug 1178319 for CVE-2020-25592",
"url": "https://bugzilla.suse.com/1178319"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "critical"
}
],
"title": "CVE-2020-25592"
},
{
"cve": "CVE-2021-25315",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-25315"
}
],
"notes": [
{
"category": "general",
"text": "CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-25315",
"url": "https://www.suse.com/security/cve/CVE-2021-25315"
},
{
"category": "external",
"summary": "SUSE Bug 1182382 for CVE-2021-25315",
"url": "https://bugzilla.suse.com/1182382"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "critical"
}
],
"title": "CVE-2021-25315"
},
{
"cve": "CVE-2021-31607",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-31607"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-31607",
"url": "https://www.suse.com/security/cve/CVE-2021-31607"
},
{
"category": "external",
"summary": "SUSE Bug 1185281 for CVE-2021-31607",
"url": "https://bugzilla.suse.com/1185281"
},
{
"category": "external",
"summary": "SUSE Bug 1210934 for CVE-2021-31607",
"url": "https://bugzilla.suse.com/1210934"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python3-salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-api-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-bash-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-cloud-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-doc-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-fish-completion-3002.2-lp152.3.36.1.noarch",
"openSUSE Leap 15.2:salt-master-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-minion-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-proxy-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-ssh-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-standalone-formulas-configuration-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-syndic-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-transactional-update-3002.2-lp152.3.36.1.x86_64",
"openSUSE Leap 15.2:salt-zsh-completion-3002.2-lp152.3.36.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-23T12:34:14Z",
"details": "important"
}
],
"title": "CVE-2021-31607"
}
]
}
OPENSUSE-SU-2021:2106-1
Vulnerability from csaf_opensuse - Published: 2021-07-11 12:04 - Updated: 2021-07-11 12:04Summary
Security update for salt
Severity
Critical
Notes
Title of the patch: Security update for salt
Description of the patch: This update for salt fixes the following issues:
Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)
- Check if dpkgnotify is executable (bsc#1186674)
- Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)
- virt module updates
* network: handle missing ipv4 netmask attribute
* more network support
* PCI/USB host devices passthrough support
- Set distro requirement to oldest supported version in requirements/base.txt
- Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)
- Always require `python3-distro` (bsc#1182293)
- Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing
- Fix pkg states when DEB package has 'all' arch
- Do not force beacons configuration to be a list.
- Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
- msgpack support for version >= 1.0.0 (bsc#1171257)
- Fix issue parsing errors in ansiblegate state module
- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
- transactional_update: detect recursion in the executor
- Add subpackage salt-transactional-update (jsc#SLE-18033)
- Improvements on 'ansiblegate' module (bsc#1185092):
* New methods: ansible.targets / ansible.discover_playbooks
- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
- Regression fix of salt-ssh on processing targets
- Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)
- Add notify beacon for Debian/Ubuntu systems
- Fix zmq bug that causes salt-call to freeze (bsc#1181368)
Patchnames: openSUSE-SLE-15.3-2021-2106
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.7 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
7.2 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
9.8 (Critical)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
37 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for salt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for salt fixes the following issues:\n\nUpdate to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) \n\n- Check if dpkgnotify is executable (bsc#1186674)\n- Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)\n- virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n- Set distro requirement to oldest supported version in requirements/base.txt\n- Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)\n- Always require `python3-distro` (bsc#1182293)\n- Remove deprecated warning that breaks minion execution when \u0027server_id_use_crc\u0027 opts is missing\n- Fix pkg states when DEB package has \u0027all\u0027 arch\n- Do not force beacons configuration to be a list.\n- Remove msgpack \u003c 1.0.0 from base requirements (bsc#1176293)\n- msgpack support for version \u003e= 1.0.0 (bsc#1171257)\n- Fix issue parsing errors in ansiblegate state module\n- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)\n- transactional_update: detect recursion in the executor\n- Add subpackage salt-transactional-update (jsc#SLE-18033)\n- Improvements on \u0027ansiblegate\u0027 module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n- Regression fix of salt-ssh on processing targets\n- Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)\n- Add notify beacon for Debian/Ubuntu systems\n- Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2021-2106",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_2106-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:2106-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:2106-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/"
},
{
"category": "self",
"summary": "SUSE Bug 1171257",
"url": "https://bugzilla.suse.com/1171257"
},
{
"category": "self",
"summary": "SUSE Bug 1176293",
"url": "https://bugzilla.suse.com/1176293"
},
{
"category": "self",
"summary": "SUSE Bug 1179831",
"url": "https://bugzilla.suse.com/1179831"
},
{
"category": "self",
"summary": "SUSE Bug 1181368",
"url": "https://bugzilla.suse.com/1181368"
},
{
"category": "self",
"summary": "SUSE Bug 1182281",
"url": "https://bugzilla.suse.com/1182281"
},
{
"category": "self",
"summary": "SUSE Bug 1182293",
"url": "https://bugzilla.suse.com/1182293"
},
{
"category": "self",
"summary": "SUSE Bug 1182382",
"url": "https://bugzilla.suse.com/1182382"
},
{
"category": "self",
"summary": "SUSE Bug 1185092",
"url": "https://bugzilla.suse.com/1185092"
},
{
"category": "self",
"summary": "SUSE Bug 1185281",
"url": "https://bugzilla.suse.com/1185281"
},
{
"category": "self",
"summary": "SUSE Bug 1186674",
"url": "https://bugzilla.suse.com/1186674"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-15750 page",
"url": "https://www.suse.com/security/cve/CVE-2018-15750/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-15751 page",
"url": "https://www.suse.com/security/cve/CVE-2018-15751/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11651 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11651/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11652 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11652/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-25592 page",
"url": "https://www.suse.com/security/cve/CVE-2020-25592/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-25315 page",
"url": "https://www.suse.com/security/cve/CVE-2021-25315/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-31607 page",
"url": "https://www.suse.com/security/cve/CVE-2021-31607/"
}
],
"title": "Security update for salt",
"tracking": {
"current_release_date": "2021-07-11T12:04:10Z",
"generator": {
"date": "2021-07-11T12:04:10Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:2106-1",
"initial_release_date": "2021-07-11T12:04:10Z",
"revision_history": [
{
"date": "2021-07-11T12:04:10Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-distro-1.5.0-3.5.1.noarch",
"product": {
"name": "python2-distro-1.5.0-3.5.1.noarch",
"product_id": "python2-distro-1.5.0-3.5.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-distro-1.5.0-3.5.1.noarch",
"product": {
"name": "python3-distro-1.5.0-3.5.1.noarch",
"product_id": "python3-distro-1.5.0-3.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-distro-1.5.0-3.5.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch"
},
"product_reference": "python2-distro-1.5.0-3.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-distro-1.5.0-3.5.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
},
"product_reference": "python3-distro-1.5.0-3.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-15750",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-15750"
}
],
"notes": [
{
"category": "general",
"text": "Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-15750",
"url": "https://www.suse.com/security/cve/CVE-2018-15750"
},
{
"category": "external",
"summary": "SUSE Bug 1113698 for CVE-2018-15750",
"url": "https://bugzilla.suse.com/1113698"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "moderate"
}
],
"title": "CVE-2018-15750"
},
{
"cve": "CVE-2018-15751",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-15751"
}
],
"notes": [
{
"category": "general",
"text": "SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-15751",
"url": "https://www.suse.com/security/cve/CVE-2018-15751"
},
{
"category": "external",
"summary": "SUSE Bug 1113698 for CVE-2018-15751",
"url": "https://bugzilla.suse.com/1113698"
},
{
"category": "external",
"summary": "SUSE Bug 1113699 for CVE-2018-15751",
"url": "https://bugzilla.suse.com/1113699"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "moderate"
}
],
"title": "CVE-2018-15751"
},
{
"cve": "CVE-2020-11651",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11651"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11651",
"url": "https://www.suse.com/security/cve/CVE-2020-11651"
},
{
"category": "external",
"summary": "SUSE Bug 1170595 for CVE-2020-11651",
"url": "https://bugzilla.suse.com/1170595"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "critical"
}
],
"title": "CVE-2020-11651"
},
{
"cve": "CVE-2020-11652",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11652"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11652",
"url": "https://www.suse.com/security/cve/CVE-2020-11652"
},
{
"category": "external",
"summary": "SUSE Bug 1170595 for CVE-2020-11652",
"url": "https://bugzilla.suse.com/1170595"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "critical"
}
],
"title": "CVE-2020-11652"
},
{
"cve": "CVE-2020-25592",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-25592"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-25592",
"url": "https://www.suse.com/security/cve/CVE-2020-25592"
},
{
"category": "external",
"summary": "SUSE Bug 1178319 for CVE-2020-25592",
"url": "https://bugzilla.suse.com/1178319"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "critical"
}
],
"title": "CVE-2020-25592"
},
{
"cve": "CVE-2021-25315",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-25315"
}
],
"notes": [
{
"category": "general",
"text": "CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-25315",
"url": "https://www.suse.com/security/cve/CVE-2021-25315"
},
{
"category": "external",
"summary": "SUSE Bug 1182382 for CVE-2021-25315",
"url": "https://bugzilla.suse.com/1182382"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "critical"
}
],
"title": "CVE-2021-25315"
},
{
"cve": "CVE-2021-31607",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-31607"
}
],
"notes": [
{
"category": "general",
"text": "In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-31607",
"url": "https://www.suse.com/security/cve/CVE-2021-31607"
},
{
"category": "external",
"summary": "SUSE Bug 1185281 for CVE-2021-31607",
"url": "https://bugzilla.suse.com/1185281"
},
{
"category": "external",
"summary": "SUSE Bug 1210934 for CVE-2021-31607",
"url": "https://bugzilla.suse.com/1210934"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-distro-1.5.0-3.5.1.noarch",
"openSUSE Leap 15.3:python3-distro-1.5.0-3.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:04:10Z",
"details": "important"
}
],
"title": "CVE-2021-31607"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…