First published: Sat Feb 27 2021(Updated: )
An issue was discovered in SaltStack Salt before 3002.5. The minion's `restartcheck` is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
SaltStack Salt | <2015.8.10 | |
SaltStack Salt | >=2015.8.11<2015.8.13 | |
SaltStack Salt | >=2016.3.0<2016.3.4 | |
SaltStack Salt | >=2016.3.5<2016.3.6 | |
SaltStack Salt | >=2016.3.7<2016.3.8 | |
SaltStack Salt | >=2016.3.9<2016.11.3 | |
SaltStack Salt | >=2016.11.4<2016.11.5 | |
SaltStack Salt | >=2016.11.7<2016.11.10 | |
SaltStack Salt | >=2017.5.0<2017.7.8 | |
SaltStack Salt | >=2018.2.0<=2018.3.5 | |
SaltStack Salt | >=2019.2.0<2019.2.5 | |
SaltStack Salt | >=2019.2.6<2019.2.8 | |
SaltStack Salt | >=3000<3000.6 | |
SaltStack Salt | >=3001<3001.4 | |
SaltStack Salt | >=3002<3002.5 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
SaltStack Salt | <3002.2<3001.4<3000.6<2019.2.8<2019.2.5<2018.3.5<2017.7.8<2016.11.10<2016.11.6<2016.11.5<2016.11.3<2016.3.8<2016.3.6<2016.3.4<2015.8.13<2015.8.10<3002.5<3001.6<3000.8<3002.5<3001.6<3000.8 | 3002.2 3001.4 3000.6 2019.2.8 2019.2.5 2018.3.5 2017.7.8 2016.11.10 2016.11.6 2016.11.5 2016.11.3 2016.3.8 2016.3.6 2016.3.4 2015.8.13 2015.8.10 3002.5 3001.6 3000.8 3002.5 3001.6 3000.8 |
pip/salt | >=3002<3002.3 | 3002.3 |
pip/salt | >=3001<3001.5 | 3001.5 |
pip/salt | >=3000<3000.7 | 3000.7 |
pip/salt | >=2019.2.0<2019.2.8 | 2019.2.8 |
pip/salt | >=2018.2.0<=2018.3.5 | |
pip/salt | >=2017.5.0<2017.7.8 | 2017.7.8 |
pip/salt | >=2016.11.7<2016.11.10 | 2016.11.10 |
pip/salt | >=2016.3.0<2016.11.5 | 2016.11.5 |
pip/salt | <2015.8.13 | 2015.8.13 |
debian/salt |
Update the minion to the latest release, package or patch file
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2020-28243.
CVE-2020-28243 has a severity of 7.8 (High).
The vulnerability in SaltStack Salt before 3002.5 allows for local privilege escalation by any user able to create files on the minion in a non-blacklisted directory.
To fix the vulnerability in SaltStack Salt before 3002.5, update to version 3002.5 or later.
More information about CVE-2020-28243 can be found at the following references: [link1], [link2], [link3].