CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

References

Affected packages

Git / github.com/saltstack/salt

Affected ranges

Type

GIT

Repo

https://github.com/saltstack/salt

Events

Introduced

Fixed

72df4dd40305bde8838567e568e324e3715930d5

Introduced

9adc2214c3bb7c68f820f7bd5fe5e132b7b3fbc9

Fixed

d234429aba719e139cac45db0104bf6c53cfd4ea

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2019.2.4"
        },
        {
            "introduced": "3000"
        },
        {
            "fixed": "3000.2"
        }
    ]
}

Affected versions

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.10.5

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16

v0.17

v0.6.0

v0.7.0

v0.8.0

v0.8.7

v0.8.9

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.9

v2014.*

v2014.1

v2014.7

v2015.*

v2015.2

v2015.5

v2015.8

v2016.*

v2016.11

v2016.3

v2016.9

v2017.*

v2017.5

v2017.7

v2018.*

v2018.11

v2018.2

v2018.3

v2019.*

v2019.2

v2019.2.1

v2019.2.1rc1

v2019.2.2

v2019.2.3

v2019.2.3_docs

v2019.2.4

v3000.*

v3000.1

v3000.2

Other

v3000_docs

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11652.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.1.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.0.0"
            },
            {
                "last_affected": "8.2.6"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.1.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.5.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0"
            }
        ]
    }
]