CVE-2020-11651

Published: 30 April 2020

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
salt Launchpad, Ubuntu, Debian	bionic	Released (2017.7.4+dfsg1-1ubuntu18.04.2)
	eoan	Ignored (reached end-of-life)
	focal	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (3000.2+dfsg1-1)
	xenial	Released (2015.8.8+ds-1ubuntu0.1)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
https://ubuntu.com/security/notices/USN-4459-1
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/salt-minion/+bug/1883658

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›