CVE-2020-28972

Published: Feb 27, 2021Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.

Affected (21)

Products: Saltstack: Salt · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Before 2015.8.10
Saltstack Salt	From 2015.8.11 to 2015.8.13
Saltstack Salt	From 2016.11.4 to 2016.11.5
Saltstack Salt	From 2016.11.7 to 2016.11.10
Saltstack Salt	From 2016.3.0 to 2016.3.4
Saltstack Salt	From 2016.3.5 to 2016.3.6
Saltstack Salt	From 2016.3.7 to 2016.3.8
Saltstack Salt	From 2016.3.9 to 2016.11.3
Saltstack Salt	From 2017.5.0 to 2017.7.8
Saltstack Salt	From 2018.2.0 to 2018.3.5
Saltstack Salt	From 2019.2.0 to 2019.2.5
Saltstack Salt	From 2019.2.6 to 2019.2.8
Saltstack Salt	From 3000 to 3000.6
Saltstack Salt	From 3001 to 3001.4
Saltstack Salt	From 3002 to 3002.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (16)

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: cve@mitre.org

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.