853 matches found
PYSEC-2021-74
In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers in the vmware.py files does not always validate the SSL/TLS certificate...
PYSEC-2021-52
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks...
PYSEC-2021-75
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated...
PYSEC-2021-73
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory...
PYSEC-2021-54
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions...
CVE-2021-3144
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions...
CVE-2021-3197
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...
CVE-2021-25281
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheelasync client. Thus, an attacker can remotely run any wheel modules on the master...
CVE-2021-3197
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...
CVE-2021-25282
An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillarroots.write method is vulnerable to directory traversal...
CVE-2021-25281
CVE-2021-25281 concerns SaltStack Salt before 3002.5, where salt-api does not honor eauth credentials for the wheel_async client. This allows a remote, unauthenticated attacker to remotely run wheel modules on the master (arbitrary command execution risk via wheel_async). Connected advisories con...
CVE-2020-28972
In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers in the vmware.py files does not always validate the SSL/TLS certificate...
CVE-2021-25281
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheelasync client. Thus, an attacker can remotely run any wheel modules on the master...
CVE-2020-35662
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated...
CVE-2021-25283
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks...
CVE-2021-3144
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. They might be used to run command against the salt master or minions...
CVE-2021-25281
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheelasync client. Thus, an attacker can remotely run any wheel modules on the master...
CVE-2021-3148
Removed by vendor...
CVE-2021-3144
Removed by vendor...
CVE-2020-28243
Removed by vendor...