RCE in Saltstack Salt

CVE-2013-4438

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.006 (69.0th percentile) — read the EPSS interpretation.

Affected products

Saltstack Salt — versions 0.6.0, 0.7.0, 0.8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

[oss-security] 20131018 Re: CVE request for saltstack minion identity usurpation (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)