—

PYSEC-2020-104

Details

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 0 Fixed in: 2015.8.10

Fix pip install --upgrade 'salt>=2015.8.10'

References

https://github.com/saltstack/salt/releases [WEB]
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ [ARTICLE]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/ [WEB]
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html [WEB]
https://security.gentoo.org/glsa/202011-13 [ADVISORY]
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html [WEB]
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/ [ADVISORY]
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/ [ADVISORY]
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/ [ADVISORY]
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/ [ADVISORY]
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/ [ADVISORY]
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html [WEB]
https://www.debian.org/security/2021/dsa-4837 [ADVISORY]
https://github.com/advisories/GHSA-qr38-h96j-2j3w [ADVISORY]