CVE-2020-35662

In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
saltstacksalt
𝑥
< 2015.8.10
saltstacksalt
2015.8.11 ≤
𝑥
< 2015.8.13
saltstacksalt
2016.3.0 ≤
𝑥
< 2016.3.4
saltstacksalt
2016.3.5 ≤
𝑥
< 2016.3.6
saltstacksalt
2016.3.7 ≤
𝑥
< 2016.3.8
saltstacksalt
2016.3.9 ≤
𝑥
< 2016.11.3
saltstacksalt
2016.11.4 ≤
𝑥
< 2016.11.5
saltstacksalt
2016.11.7 ≤
𝑥
< 2016.11.10
saltstacksalt
2017.5.0 ≤
𝑥
< 2017.7.8
saltstacksalt
2018.2.0 ≤
𝑥
≤ 2018.3.5
saltstacksalt
2019.2.0 ≤
𝑥
< 2019.2.5
saltstacksalt
2019.2.6 ≤
𝑥
< 2019.2.8
saltstacksalt
3000 ≤
𝑥
< 3000.6
saltstacksalt
3001 ≤
𝑥
< 3001.4
saltstacksalt
3002 ≤
𝑥
< 3002.5
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
salt
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
dne
bionic
Fixed 2017.7.4+dfsg1-1ubuntu18.04.2+esm1
released
xenial
Fixed 2015.8.8+ds-1ubuntu0.1+esm2
released
trusty
needs-triage
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
https://security.gentoo.org/glsa/202103-01
https://security.gentoo.org/glsa/202310-22
https://www.debian.org/security/2021/dsa-5011
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
https://security.gentoo.org/glsa/202103-01
https://security.gentoo.org/glsa/202310-22
https://www.debian.org/security/2021/dsa-5011