FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-01-21 22:24:55 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
50259d8b-243e-11eb-8bae-b42e99975750	salt -- multiple vulnerabilities SaltStack reports multiple security vulnerabilities in Salt 3002: CVE-2020-16846: Prevent shell injections in netapi ssh client. CVE-2020-17490: Prevent creating world readable private keys with the tls execution module. CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh. Discovery 2020-11-06 Entry 2020-11-12 py36-salt py37-salt py38-salt >= 3002 lt 3002.1 https://docs.saltstack.com/en/latest/topics/releases/3002.1.html CVE-2020-16846 https://nvd.nist.gov/vuln/detail/CVE-2020-16846 CVE-2020-17490 https://nvd.nist.gov/vuln/detail/CVE-2020-17490 CVE-2020-25592 https://nvd.nist.gov/vuln/detail/CVE-2020-25592
a1e03a3d-7be0-11eb-b392-20cf30e32f6d	salt -- multiple vulnerabilities SaltStack reports multiple security vulnerabilities in Salt CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request. CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client. CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal. CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks. CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion CVE-2021-3148: command injection in salt.utils.thin.gen_thin() CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default. CVE-2021-3144: eauth Token can be used once after expiration. CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack CVE-2020-28243: Local Privilege Escalation in the Minion. Discovery 2021-02-25 Entry 2021-03-03 py36-salt-2019 py37-salt-2019 py38-salt-2019 py36-salt py37-salt py38-salt py39-salt < 2019.2.8 >= 3000 lt 3002.5 "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" CVE-2021-3197 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3148 CVE-2020-35662 CVE-2021-3144 CVE-2020-28972 CVE-2020-28243

VuXML ID

Description

50259d8b-243e-11eb-8bae-b42e99975750

salt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt 3002:

CVE-2020-16846: Prevent shell injections in netapi ssh client.

CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.

CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh.

Discovery 2020-11-06
Entry 2020-11-12
py36-salt
py37-salt
py38-salt

>= 3002 lt 3002.1

https://docs.saltstack.com/en/latest/topics/releases/3002.1.html
CVE-2020-16846
https://nvd.nist.gov/vuln/detail/CVE-2020-16846
CVE-2020-17490
https://nvd.nist.gov/vuln/detail/CVE-2020-17490
CVE-2020-25592
https://nvd.nist.gov/vuln/detail/CVE-2020-25592

a1e03a3d-7be0-11eb-b392-20cf30e32f6d

salt -- multiple vulnerabilities

SaltStack reports multiple security vulnerabilities in Salt

CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.

CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.

CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion

CVE-2021-3148: command injection in salt.utils.thin.gen_thin()

CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.

CVE-2021-3144: eauth Token can be used once after expiration.

CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack

CVE-2020-28243: Local Privilege Escalation in the Minion.

Discovery 2021-02-25
Entry 2021-03-03
py36-salt-2019
py37-salt-2019
py38-salt-2019
py36-salt
py37-salt
py38-salt
py39-salt

< 2019.2.8

>= 3000 lt 3002.5

"https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"
CVE-2021-3197
CVE-2021-25281
CVE-2021-25282
CVE-2021-25283
CVE-2021-25284
CVE-2021-3148
CVE-2020-35662
CVE-2021-3144
CVE-2020-28972
CVE-2020-28243