CVE-2020-11651
| CVE Published | 2020-04-30 |
|---|---|
| Related Vendor(s) | vmware, canonical, saltstack, opensuse, debian |
| Related Product(s) | application_remote_collector, debian_linux, leap, ubuntu_linux, salt |
| Exploitation Reported (CISA KEV) | 2021-11-03 |
| CVSS 3 Base Score | 9.8 (CRITICAL) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | NETWORK |
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph