SaltStack released an Advisory with multiple critical vulns announced:
Impact: The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
Impact: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Impact: Unauthorized access wheel_async through salt-api can execute arbitrarily code/command.
Impact: Via the SaltAPI fix directory traversal in wheel.pillar_roots.write
Updates and Pacthes are available:
Fragen? Kontakt: firstname.lastname@example.org