Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Salt
(Saltstack)Repositories | https://github.com/saltstack/salt |
#Vulnerabilities | 51 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2018-04-23 | CVE-2017-7893 | In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master. | Salt | 9.8 | ||
2017-09-26 | CVE-2017-5200 | Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. | Salt | 8.8 | ||
2017-04-25 | CVE-2017-8109 | The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients). | Salt | 7.8 | ||
2017-09-26 | CVE-2017-5192 | When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. | Salt | 8.8 | ||
2017-10-24 | CVE-2017-14696 | SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. | Salt | 7.5 | ||
2017-10-24 | CVE-2017-14695 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791. | Salt | 9.8 | ||
2017-08-23 | CVE-2017-12791 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. | Salt | 9.8 | ||
2017-02-07 | CVE-2016-9639 | Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. | Salt | 9.1 | ||
2017-01-31 | CVE-2016-3176 | Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. | Salt | 5.6 | ||
2016-04-12 | CVE-2016-1866 | Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream. | Leap, Salt | 8.1 |