Fedoraproject: >> Fedora >> 33 Security Vulnerabilities
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
CVSS Score
9.8
EPSS Score
0.063
Published
2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
CVSS Score
7.8
EPSS Score
0.017
Published
2021-02-27
In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
CVSS Score
5.9
EPSS Score
0.004
Published
2021-02-27
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
CVSS Score
7.4
EPSS Score
0.005
Published
2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
CVSS Score
9.8
EPSS Score
0.94
Published
2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
CVSS Score
9.1
EPSS Score
0.912
Published
2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
CVSS Score
9.8
EPSS Score
0.057
Published
2021-02-27
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-02-26
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
CVSS Score
3.1
EPSS Score
0.005
Published
2021-02-26
.NET Core Remote Code Execution Vulnerability
CVSS Score
8.1
EPSS Score
0.017
Published
2021-02-25