Search

安全ID : QSA-20-04

CVE-2020-11651 in QNAPClub SaltStack

  • 发布日期 : August 12, 2020

  • 通用漏洞披露 : CVE-2020-11651

  • 受影响产品: SaltStack

严重程度

严重

状态

已解决

Summary

An issue was discovered in SaltStack versions before Salt 2019.2.4 and Salt 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Recommendation

To fix the vulnerability, we strongly recommend updating SaltStack from QNAPClub to the latest version.

Updating SaltStack

  1. Go to https://www.qnapclub.eu/en
  2. In the search box, enter “SaltStack”.
    SaltStack appears in the search results.
  3. Select SaltStack.
  4. Click Download Now and select a package based on your NAS model.
  5. Install the package.

 

For more information on SaltStack, see the SaltStack documentation.


致谢: Bùi Đức Tài / secgit.com

修订历史: V1.0 (August 12, 2020) - Published

选择规格

      显示更多 隐藏更多
      open menu
      back to top