Lucene search

GoogleOSV:GHSA-QX72-Q6W3-QGC7

HistoryMay 24, 2022 - 5:43 p.m.

SaltStack Salt Improper SSL Certificate Validation

2022-05-2417:43:21

Google

osv.dev

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

8.4 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.

CPENameOperatorVersion
salteq0.9.1
salteq3002.1
salteq2015.5.0
salteq2018.3.2
salteq2019.2.7
salteq0.10.2
salteq0.16.4
salteq2016.3.3
salteq0.12.1
salteq0.17.5

Name	Operator	Version
salt	eq	0.9.1
salt	eq	3002.1
salt	eq	2015.5.0
salt	eq	2018.3.2
salt	eq	2019.2.7
salt	eq	0.10.2
salt	eq	0.16.4
salt	eq	2016.3.3
salt	eq	0.12.1
salt	eq	0.17.5

Rows per page:

1-10 of 1681

References

github.com/saltstack/salt

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.7.rst#L18

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rst#L18

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.3.rst#L18

lists.debian.org/debian-lts-announce/2021/11/msg00009.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5

lists.fedoraproject.org/archives/list/[email protected]/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB

lists.fedoraproject.org/archives/list/[email protected]/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH

lists.fedoraproject.org/archives/list/[email protected]/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5

nvd.nist.gov/vuln/detail/CVE-2020-35662

saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25

security.gentoo.org/glsa/202103-01

security.gentoo.org/glsa/202310-22

www.debian.org/security/2021/dsa-5011

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

8.4 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

Related for OSV:GHSA-QX72-Q6W3-QGC7