Lucene search

GitHub Advisory DatabaseGHSA-J6GJ-PG62-X8J6

HistoryMay 17, 2022 - 12:24 a.m.

SaltStack Salt Directory traversal vulnerability in minion id validation

2022-05-1700:24:32

CWE-22

GitHub Advisory Database

github.com

9.2 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

80.9%

JSON

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

CPENameOperatorVersion
saltlt2017.7.2
saltlt2016.11.8
saltlt2016.3.8

Name	Operator	Version
salt	lt	2017.7.2
salt	lt	2016.11.8
salt	lt	2016.3.8

References

lists.opensuse.org/opensuse-updates/2017-10/msg00073.html

lists.opensuse.org/opensuse-updates/2017-10/msg00075.html

bugzilla.redhat.com/show_bug.cgi?id=1500748

docs.saltstack.com/en/latest/topics/releases/2016.11.8.html

docs.saltstack.com/en/latest/topics/releases/2016.3.8.html

docs.saltstack.com/en/latest/topics/releases/2017.7.2.html

github.com/advisories/GHSA-j6gj-pg62-x8j6

github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d

nvd.nist.gov/vuln/detail/CVE-2017-14695