Redhat.comRH:CVE-2020-25592CVE-2020-25592
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.451 Medium
EPSS
Percentile
97.4%
A flaw was found in salt. Invalid eauth credentials and tokens are not handled correctly when calling Salt SSH via the salt-api which could allow an attacker to bypass authentication and gain access to restricted information or to possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Mitigation
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.
References
bugzilla.redhat.com/show_bug.cgi?id=1895454
docs.saltstack.com/en/latest/topics/releases/2019.2.7.html
docs.saltstack.com/en/latest/topics/releases/3000.5.html
docs.saltstack.com/en/latest/topics/releases/3001.3.html
docs.saltstack.com/en/latest/topics/releases/3002.1.html
nvd.nist.gov/vuln/detail/CVE-2020-25592
www.cve.org/CVERecord?id=CVE-2020-25592
www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.451 Medium
EPSS
Percentile
97.4%