Vulnerability in N/a
CVE-2020-25592
In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
EPSS: 0.575 (99.0th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
Public proof-of-concept exploits
References
- docs.saltstack.com/en/latest/topics/releases/index.html (x_refsource_MISC)
- www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-ne… (x_refsource_CONFIRM)
- FEDORA-2020-9e040bd6dd (vendor-advisory, x_refsource_FEDORA)
- openSUSE-SU-2020:1868 (vendor-advisory, x_refsource_SUSE)
- GLSA-202011-13 (vendor-advisory, x_refsource_GENTOO)
- packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-… (x_refsource_MISC)
- [debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update (mailing-list, x_refsource_MLIST)
- DSA-4837 (vendor-advisory, x_refsource_DEBIAN)
Frequently asked questions
- What is CVE-2020-25592?
- CVE-2020-25592 is a vulnerability in N/a. Published 2020-11-06.
- Is CVE-2020-25592 known to be exploited?
- 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.