Salt Security Vulnerabilities and Issues — Salt CVE List

Lucene search

SaltstackSalt

12 matches found

CVE•added 2017/09/26 2:29 p.m.•82 views

CVE-2017-5200

Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

9CVSS8.6AI score0.01262EPSS

CVE•added 2017/09/26 2:29 p.m.•78 views

CVE-2017-5192

When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.

8.8CVSS8.5AI score0.00149EPSS

CVE•added 2017/08/23 2:29 p.m.•72 views

CVE-2017-12791

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.

9.8CVSS9AI score0.01383EPSS

CVE•added 2017/10/24 5:29 p.m.•67 views

CVE-2017-14696

SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

7.5CVSS8AI score0.02661EPSS

CVE•added 2017/10/24 5:29 p.m.•63 views

CVE-2017-14695

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an i...

9.8CVSS9.1AI score0.01383EPSS

CVE•added 2017/04/25 5:59 p.m.•61 views

CVE-2017-8109

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

7.8CVSS7.4AI score0.00047EPSS

CVE•added 2017/04/13 2:59 p.m.•54 views

CVE-2015-1838

modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

5.3CVSS5.1AI score0.00164EPSS

CVE•added 2017/04/13 2:59 p.m.•45 views

CVE-2015-1839

modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

5.3CVSS5.1AI score0.00082EPSS

CVE•added 2017/01/30 10:59 p.m.•42 views

CVE-2015-8034

The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.

3.3CVSS3.3AI score0.00035EPSS

CVE•added 2017/01/31 7:59 p.m.•42 views

CVE-2016-3176

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

5.6CVSS5.6AI score0.00167EPSS

CVE•added 2017/02/07 5:59 p.m.•42 views

CVE-2016-9639

Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.

9.1CVSS8.9AI score0.00325EPSS

CVE•added 2017/08/25 6:29 p.m.•36 views

CVE-2015-4017

Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.

7.5CVSS7.5AI score0.00311EPSS