9.8

CVE-2020-25592

In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SaltstackSalt Version < 2015.8.10
SaltstackSalt Version >= 2015.8.11 < 2015.8.13
SaltstackSalt Version >= 2016.3.0 < 2016.3.4
SaltstackSalt Version >= 2016.3.5 < 2016.3.6
SaltstackSalt Version >= 2016.3.7 < 2016.3.8
SaltstackSalt Version >= 2016.11.0 < 2016.11.3
SaltstackSalt Version >= 2016.11.4 < 2016.11.6
SaltstackSalt Version >= 2016.11.7 < 2016.11.10
SaltstackSalt Version >= 2017.5.0 < 2017.7.4
SaltstackSalt Version >= 2017.7.5 < 2017.7.8
SaltstackSalt Version >= 2018.2.0 < 2018.3.5
SaltstackSalt Version >= 2019.2.0 < 2019.2.5
SaltstackSalt Version >= 3000.0 < 3000.3
SaltstackSalt Version3001
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 57.45% 0.99
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
Third Party Advisory
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html
Third Party Advisory
VDB Entry
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
https://security.gentoo.org/glsa/202011-13
Third Party Advisory
https://www.debian.org/security/2021/dsa-4837
Third Party Advisory
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
Vendor Advisory
https://docs.saltstack.com/en/latest/topics/releases/index.html
Vendor Advisory
Release Notes