Saltstack: community verdicts
3 notable / known-exploited Saltstack CVEs the community has triaged.
- CVE-2020-16846CRIT 9.8KEVEPSS 100%
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
- CVE-2020-11651CRIT 9.8KEVEPSS 96%
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
- CVE-2020-11652MED 6.5KEVEPSS 86%
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.