Product:

Salt

(Saltstack)
Repositories https://github.com/saltstack/salt
#Vulnerabilities 51
Date Id Summary Products Score Patch Annotated
2018-04-23 CVE-2017-7893 In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master. Salt 9.8
2017-09-26 CVE-2017-5200 Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. Salt 8.8
2017-04-25 CVE-2017-8109 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients). Salt 7.8
2017-09-26 CVE-2017-5192 When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. Salt 8.8
2017-10-24 CVE-2017-14696 SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. Salt 7.5
2017-10-24 CVE-2017-14695 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. Salt 9.8
2017-08-23 CVE-2017-12791 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Salt 9.8
2017-02-07 CVE-2016-9639 Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. Salt 9.1
2017-01-31 CVE-2016-3176 Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. Salt 5.6
2016-04-12 CVE-2016-1866 Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream. Leap, Salt 8.1