-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| salt | pip | < 2015.8.13 | 2015.8.13 |
| salt | pip | >= 2016.3.0, < 2016.11.5 | 2016.11.5 |
| salt | pip | >= 2016.11.7, < 2016.11.10 | 2016.11.10 |
| salt | pip | >= 2017.5.0, < 2017.7.8 | 2017.7.8 |
| salt | pip | >= 2018.2.0, <= 2018.3.5 | |
| salt | pip | >= 2019.2.0, < 2019.2.8 | 2019.2.8 |
| salt | pip | >= 3000, < 3000.7 | 3000.7 |
| salt | pip | >= 3001, < 3001.5 | 3001.5 |
| salt | pip | >= 3002, < 3002.3 | 3002.3 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2020-28972) explicitly references improper certificate validation in VMware-related vmware.py files. SaltStack's own release notes for patched versions (3002.3, 3001.5, 3000.7) confirm that SSL validation was not enforced by default in these modules. The get_service_instance and _get_service_instance functions are core to establishing VMware connections in SaltStack, and the vulnerability description aligns with missing certificate checks in these functions. Third-party advisories (Gentoo, Fedora) and the CVE's focus on VMware authentication further corroborate this assessment.
PythonPythonOngoing coverage of React2Shell