Search

Security ID : QSA-20-04

CVE-2020-11651 in QNAPClub SaltStack

  • Release date : August 12, 2020

  • CVE identifier : CVE-2020-11651

  • Affected products: SaltStack

Severity

Critical

Status

Resolved

Summary

An issue was discovered in SaltStack versions before Salt 2019.2.4 and Salt 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Recommendation

To fix the vulnerability, we strongly recommend updating SaltStack from QNAPClub to the latest version.

Updating SaltStack

  1. Go to https://www.qnapclub.eu/en
  2. In the search box, enter “SaltStack”.
    SaltStack appears in the search results.
  3. Select SaltStack.
  4. Click Download Now and select a package based on your NAS model.
  5. Install the package.

 

For more information on SaltStack, see the SaltStack documentation.


Acknowledgements: Bùi Đức Tài / secgit.com

Revision History: V1.0 (August 12, 2020) - Published

Choose specification

      Show more Less

      Choose Your Country or Region

      open menu
      back to top