USN-4459-1

Source
https://ubuntu.com/security/notices/USN-4459-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4459-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4459-1
Related
Published
2020-08-13T21:23:49.889273Z
Modified
2020-08-13T21:23:49.889273Z
Summary
salt vulnerabilities
Details

It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750)

It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary code or crash the server. (CVE-2018-15751)

It was discovered that Salt is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. (CVE-2019-17361)

It was discovered that Salt incorrectly validated method calls and sanitized paths. A remote attacker could possibly use this issue to access some methods without authentication. (CVE-2020-11651, CVE-2020-11652)

References

Affected packages

Ubuntu:16.04:LTS / salt

Package

Name
salt
Purl
pkg:deb/ubuntu/salt?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2015.8.8+ds-1ubuntu0.1

Affected versions

2015.*

2015.5.3+ds-1
2015.8.1+ds-2
2015.8.3+ds-1
2015.8.3+ds-2
2015.8.3+ds-3
2015.8.5+ds-1
2015.8.7+ds-1
2015.8.8+ds-1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-api"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-cloud"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-common"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-doc"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-master"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-minion"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-proxy"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-ssh"
        },
        {
            "binary_version": "2015.8.8+ds-1ubuntu0.1",
            "binary_name": "salt-syndic"
        }
    ]
}

Ubuntu:18.04:LTS / salt

Package

Name
salt
Purl
pkg:deb/ubuntu/salt?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2017.7.4+dfsg1-1ubuntu18.04.2

Affected versions

2016.*

2016.11.5+ds-1
2016.11.8+dfsg1-1

2017.*

2017.7.2+dfsg1-2ubuntu1
2017.7.3+dfsg1-1
2017.7.4+dfsg1-1
2017.7.4+dfsg1-1ubuntu18.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-api"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-cloud"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-common"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-doc"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-master"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-minion"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-proxy"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-ssh"
        },
        {
            "binary_version": "2017.7.4+dfsg1-1ubuntu18.04.2",
            "binary_name": "salt-syndic"
        }
    ]
}