CVE-2020-28972

CVE Database · CVE-2020-28972

CVE-2020-28972

· MEDIUMModified

CVSS v3.1

5.9

EPSS

3.09%

Published

Feb 27, 2021

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-295

Affected Products (21)

saltstack · salt (up to 2015.8.10)vulnerable

saltstack · salt (up to 2015.8.13)vulnerable

saltstack · salt (up to 2016.3.4)vulnerable

saltstack · salt (up to 2016.3.6)vulnerable

saltstack · salt (up to 2016.3.8)vulnerable

saltstack · salt (up to 2016.11.3)vulnerable

saltstack · salt (up to 2016.11.5)vulnerable

saltstack · salt (up to 2016.11.10)vulnerable

· salt

References (16)

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

KEV Catalog EPSS Scores Vendors All CVEs