An issue exists in SaltStack Salt up to and including 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
saltstack salt 3001 |
||
saltstack salt |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
Fixes look to have landed in GitHub well ahead of disclosure
SaltStack has officially revealed three bugs in its code – two of them seemingly critical – and told users: “We strongly recommend that you prioritize this update.” But the biz appears to have known about the bugs for months and quietly patched them over the summer. SaltStack offers open-source, Python-based automation tools. It was acquired by VMware in October, and Virtzilla hailed the deal as completing and extending its automation offerings and to help it provide a full-stack offerin...