CVE-2020-17490: SaltStack Salt Allows creating certificates with weak file permissions
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11221%
CWE
Published
5/24/2022
Updated
10/22/2024
KEV Status
No
Technology
Python
PythonTechnical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| salt | pip | < 2015.8.13 | 2015.8.13 |
| salt | pip | >= 2016.3.0, < 2016.3.8 | 2016.3.8 |
| salt | pip | >= 2016.11.0, < 2016.11.10 | 2016.11.10 |
| salt | pip | >= 2017.5.0, < 2017.7.8 | 2017.7.8 |
| salt | pip | >= 2018.2.0, < 2018.3.5 | 2018.3.5 |
| salt | pip | >= 2019.2.0, < 2019.2.6 | 2019.2.6 |
| salt | pip | >= 3000, < 3000.4 | 3000.4 |
| salt | pip | >= 3001, < 3001.2 | 3001.2 |
| salt | pip | >= 3002, < 3002.1 | 3002.1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability documentation explicitly references the TLS execution module's certificate creation functions (create_ca, create_csr, create_self_signed_cert) as failing to set proper permissions. Multiple security advisories (Debian DLA 2480-1, Gentoo GLSA 202011-13) and SaltStack's own release notes for patched versions directly link these functions to the weak file permission issue. The CWE-732 classification matches the pattern of improper permission assignment in certificate generation workflows.