SB2018122002 - OpenSUSE Linux update for salt

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018122002

SB2018122002 - OpenSUSE Linux update for salt

Published: December 20, 2018

Security Bulletin ID SB2018122002
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2018-15750)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input processed by the salt-api component. A remote attacker can send a query request that submits malicious input, conduct directory traversal attack and determine what files exist on the system, and this information can be used to conduct further attacks.


2) Command injection (CVE-ID: CVE-2018-15751)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper security restrictions imposed on the salt-api component. A remote attacker can use the salt-apicomponent to send a request that submits malicious input, bypass authentication and execute arbitrary commands on the system.


Remediation

Install update from vendor's website.

References