FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
50259d8b-243e-11eb-8bae-b42e99975750salt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt 3002:

  • CVE-2020-16846: Prevent shell injections in netapi ssh client.
  • CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
  • CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.

Discovery 2020-11-06
Entry 2020-11-12
py36-salt
py37-salt
py38-salt
ge 3002 lt 3002.1

https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
CVE-2020-16846
https://nvd.nist.gov/vuln/detail/CVE-2020-16846
CVE-2020-17490
https://nvd.nist.gov/vuln/detail/CVE-2020-17490
CVE-2020-25592
https://nvd.nist.gov/vuln/detail/CVE-2020-25592
a1e03a3d-7be0-11eb-b392-20cf30e32f6dsalt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt

  • CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.
  • CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.
  • CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion
  • CVE-2021-3148: command injection in salt.utils.thin.gen_thin()
  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.
  • CVE-2021-3144: eauth Token can be used once after expiration.
  • CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
  • CVE-2020-28243: Local Privilege Escalation in the Minion.

Discovery 2021-02-25
Entry 2021-03-03
py36-salt-2019
py37-salt-2019
py38-salt-2019
py36-salt
py37-salt
py38-salt
py39-salt
< 2019.2.8

ge 3000 lt 3002.5

"https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"
CVE-2021-3197
CVE-2021-25281
CVE-2021-25282
CVE-2021-25283
CVE-2021-25284
CVE-2021-3148
CVE-2020-35662
CVE-2021-3144
CVE-2020-28972
CVE-2020-28243