Improper input validation in Saltstack Salt

CVE-2013-4436

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.007 (72.7th percentile) — read the EPSS interpretation.

Affected products

Saltstack Salt — versions 0.17.0
N/a — versions n/a

Weakness classification (CWE)

CWE-20 — Improper Input Validation

References

[oss-security] 20131018 Re: CVE request for saltstack minion identity usurpation (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)