Filtered by vendor Saltstack
Subscriptions
Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-17490 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2023-11-07 | 5.5 Medium |
| The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. | ||||
| CVE-2020-16846 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2023-11-07 | 9.8 Critical |
| An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. | ||||
| CVE-2015-4017 | 1 Saltstack | 1 Salt | 2023-11-07 | N/A |
| Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules. | ||||
| CVE-2023-20898 | 1 Saltstack | 1 Salt | 2023-09-14 | 7.8 High |
| Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash. | ||||
| CVE-2023-20897 | 1 Saltstack | 1 Salt | 2023-09-14 | 5.3 Medium |
| Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted. | ||||
| CVE-2021-25315 | 3 Opensuse, Saltstack, Suse | 3 Tumbleweed, Salt, Suse Linux Enterprise Server | 2023-06-22 | 7.8 High |
| CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. | ||||
| CVE-2019-17361 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2023-01-31 | 9.8 Critical |
| In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. | ||||
| CVE-2013-4439 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key. | ||||
| CVE-2013-4435 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine. | ||||
| CVE-2013-4436 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack. | ||||
| CVE-2013-4438 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe. | ||||
| CVE-2013-4437 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp." | ||||
| CVE-2013-6617 | 1 Saltstack | 1 Salt | 2022-10-03 | N/A |
| The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges. | ||||
| CVE-2020-11651 | 5 Canonical, Debian, Opensuse and 2 more | 5 Ubuntu Linux, Debian Linux, Leap and 2 more | 2022-07-12 | 9.8 Critical |
| An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. | ||||
| CVE-2020-11652 | 6 Blackberry, Canonical, Debian and 3 more | 6 Workspaces Server, Ubuntu Linux, Debian Linux and 3 more | 2022-05-03 | 6.5 Medium |
| An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. | ||||
| CVE-2018-15751 | 1 Saltstack | 1 Salt | 2020-08-20 | N/A |
| SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). | ||||
| CVE-2018-15750 | 1 Saltstack | 1 Salt | 2020-08-20 | N/A |
| Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. | ||||
| CVE-2013-2228 | 1 Saltstack | 1 Saltstack | 2019-12-13 | 8.1 High |
| SaltStack RSA Key Generation allows remote users to decrypt communications | ||||
| CVE-2017-7893 | 1 Saltstack | 1 Salt | 2019-10-03 | N/A |
| In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master. | ||||
| CVE-2017-5200 | 1 Saltstack | 1 Salt | 2019-10-03 | N/A |
| Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. | ||||