Vulnerability BDU:2022-07060 - Russian Vulnerability Scanner Database

Scores

EPSS

0.000none0.0%

0%20%40%60%80%100%

Percentile: 0.0%

CVSS

9.1critical3.x

0246810

CVSS Score: 9.1/10

All CVSS Scores

CVSS 3.x

9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS 2.0

9.4

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:C

Description

Уязвимость реализации метода salt.wheel.pillar_roots.write системы управления конфигурациями и удалённого выполнения операций SaltStack Salt связана с неверным ограничением имени пути к каталогу с ограниченным доступом. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, раскрыть защищаемую информацию с помощью специально созданного HTTP-запроса

Sources

bdu

Related Vulnerabilities

CVE-2021-25282

Reference Links

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25282

https://access.redhat.com/security/cve/cve-2021-25282

https://www.cybersecurity-help.cz/vdb/SB2021022809

https://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html

https://github.com/saltstack/salt/releases

https://security.gentoo.org/glsa/202103-01

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

https://lists.fedoraproject.org/archives/list/package-announce

lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

https://lists.fedoraproject.org/archives/list/package-announce

lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

https://lists.fedoraproject.org/archives/list/package-announce

lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

https://www.suse.com/security/cve/CVE-2020-13543.html

https://security-tracker.debian.org/tracker/CVE-2021-25282

https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

https://www.debian.org/security/2021/dsa-5011

https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.5/

https://altsp.su/obnovleniya-bezopasnosti/

Recommendations

Source: bdu

Использование рекомендаций:

Для SaltStack Salt:
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2021-25282

Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2020-13543.html

Для ОСОН ОСнова Оnyx:Обновление программного обеспечения salt до версии 2018.3.4+dfsg1-6+deb10u3

Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства

URL: https://bdu.fstec.ru/vul/2022-07060

Vulnerable Software (495)

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.11.10",  "version_start_including": "2016.11.7"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2019.2.5",  "version_start_including": "2019.2.0"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.3.6",  "version_start_including": "2016.3.5"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.11.5",  "version_start_including": "2016.11.4"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2015.8.13",  "version_start_including": "2015.8.11"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.11.3",  "version_start_including": "2016.3.9"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2017.7.8",  "version_start_including": "2017.5.0"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2018.3.5",  "version_start_including": "2018.2.0"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2019.2.8",  "version_start_including": "2019.2.6"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.3.4",  "version_start_including": "2016.3.0"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2016.3.8",  "version_start_including": "2016.3.7"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "2015.8.10"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "3001.6"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "3000.8"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise server for sap applications 15

Trait:

{  "version_end_excluding": "3002.5"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise desktop 15 SP3

Trait:

{  "version_end_excluding": "2016.11.10",  "version_start_including": "2016.11.7"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise desktop 15 SP3

Trait:

{  "version_end_excluding": "2019.2.5",  "version_start_including": "2019.2.0"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise desktop 15 SP3

Trait:

{  "version_end_excluding": "2016.3.6",  "version_start_including": "2016.3.5"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise desktop 15 SP3

Trait:

{  "version_end_excluding": "2016.11.5",  "version_start_including": "2016.11.4"}

Source: bdu

Type: Configuration

Vendor: saltstack, inc

Product: salt

Operating System: suse linux enterprise desktop 15 SP3

Trait:

{  "version_end_excluding": "2015.8.13",  "version_start_including": "2015.8.11"}

Source: bdu

Russian Vulnerability Scanner Database

BDU:2022-07060

Scores

EPSS

CVSS

All CVSS Scores

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Description

Scaner-VS 7 — a modern vulnerability management solution

Sources

Related Vulnerabilities

Reference Links

Recommendations

Vulnerable Software (495)