Ubuntu Security Notice 6948-1 - It was discovered that Salt incorrectly handled crafted web requests. A remote attacker could possibly use this issue to run arbitrary commands. It was discovered that Salt incorrectly created certificates with weak file permissions. It was discovered that Salt incorrectly handled credential validation. A remote attacker could possibly use this issue to bypass authentication.
57efb96d5f60e2ff00f2eedcf8822df624f594139bdfc6d7e8b2d03186299d0bGentoo Linux Security Advisory 202310-22 - Multiple vulnerabilities have been discovered in Salt, the worst of which could result in local privilege escalation. Versions greater than or equal to 3004.2 are affected.
8d15c49b62885ce5a92b80cc9b7455a545b31835278e8e5f87d3866b3dd6e790Debian Linux Security Advisory 5011-1 - Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL certificates.
7bb7fffca8de5352e1fd6dffa90e1381b4c3e9b7b95fb7359363d2650c0511f0This Metasploit module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the master as the root user. Every 60 seconds, salt-master service performs a maintenance process check that reloads and executes all the grains on the master, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the master configuration file with the loop_interval option. Note that, if an administrator executes commands locally on the master, the maintenance process check will also be performed. It has been fixed in the following installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and 3002.2 on Ubuntu 18.04.
49c40579de007295532abf11c8ebcc3115636ea6aeaf3fbe9be600207cb7d985Gentoo Linux Security Advisory 202103-1 - Multiple vulnerabilities have been found in Salt, the worst of which could allow remote attacker to execute arbitrary commands. Versions less than 3000.8 are affected.
1fb0dacbd9c9195812a7ba36af666c1b8eadeff44eb24cd158f8df8aba52a654
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed