Vulnerabilities > Saltstack

DATE CVE VULNERABILITY TITLE RISK
2021-02-27 CVE-2020-28972 Improper Certificate Validation vulnerability in multiple products
In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
network
high complexity
saltstack fedoraproject debian CWE-295
5.9
2021-02-27 CVE-2020-28243 Command Injection vulnerability in multiple products
An issue was discovered in SaltStack Salt before 3002.5.
local
low complexity
saltstack fedoraproject debian CWE-77
7.8
2020-11-06 CVE-2020-25592 Improper Authentication vulnerability in multiple products
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens.
network
low complexity
saltstack debian CWE-287
critical
9.8
2020-11-06 CVE-2020-17490 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.
local
low complexity
saltstack debian CWE-732
5.5
2020-11-06 CVE-2020-16846 OS Command Injection vulnerability in multiple products
An issue was discovered in SaltStack Salt through 3002.
network
low complexity
saltstack debian CWE-78
critical
9.8
2020-04-30 CVE-2020-11652 Path Traversal vulnerability in multiple products
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
4.0
2020-04-30 CVE-2020-11651 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
network
low complexity
saltstack opensuse debian canonical vmware
7.5
2020-01-17 CVE-2019-17361 Command Injection vulnerability in multiple products
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection.
network
low complexity
saltstack debian opensuse canonical CWE-77
critical
9.8
2019-12-03 CVE-2013-2228 Improper Restriction of Excessive Authentication Attempts vulnerability in Saltstack 0.14.0/0.14.1/0.15.0
SaltStack RSA Key Generation allows remote users to decrypt communications
network
saltstack CWE-307
4.3
2019-07-18 CVE-2019-1010259 SQL Injection vulnerability in Saltstack Salt 2018 and Salt 2019
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection.
network
low complexity
saltstack CWE-89
7.5