AVG-1624 log

An issue was discovered in SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

An issue was discovered in SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.

An issue was discovered in SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

An issue was discovered in SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can...

An issue was discovered in SaltStack Salt before 3002.5. The salt- api's ssh client is vulnerable to a shell injection by including ProxyCommand in an...

An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command...

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.

In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS...

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This...