Skip to main content

Posts

Showing posts from May 2, 2020

Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers

Two severe security flaws have been discovered in the open-source  SaltStack Sat configuration framework  that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack  released  a patch (version 3000.2)  addressing the issues , rated with CVSS score 10. "The vulnerabilities, allocated CVE IDs  CVE-2020-11651  and  CVE-2020-11652 , are of two different classes," the cybersecurity  firm said . "One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server." The researchers warned that the flaws could be...