Saltstack Salt
21 CVEs affecting Saltstack Salt. Latest disclosed: 2019-07-18. Critical: 3, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-14695 | Critical | 9.8 | 2017-10-24 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows re… |
CVE-2017-12791 | Critical | 9.8 | 2017-08-23 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect… |
CVE-2016-9639 | Critical | 9.1 | 2017-02-07 | Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. |
CVE-2017-5200 | High | 8.8 | 2017-09-26 | Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via S… |
CVE-2017-5192 | High | 8.8 | 2017-09-26 | When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authenti… |
CVE-2016-1866 | High | 8.1 | 2016-04-12 | Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inse… |
CVE-2017-8109 | High | 7.8 | 2017-04-25 | The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might l… |
CVE-2017-14696 | High | 7.5 | 2017-10-24 | SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted aut… |
CVE-2015-4017 | High | 7.5 | 2017-08-25 | Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules. |
CVE-2016-3176 | Medium | 5.6 | 2017-01-31 | Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication servi… |
CVE-2015-1839 | Medium | 5.3 | 2017-04-13 | modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. |
CVE-2015-1838 | Medium | 5.3 | 2017-04-13 | modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. |
CVE-2015-8034 | Low | 3.3 | 2017-01-30 | The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the… |
CVE-2019-1010259 | | 2019-07-18 | SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. I… | |
CVE-2014-3563 | | 2014-08-22 | Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary… | |
CVE-2013-6617 | | 2013-11-05 | The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privi… | |
CVE-2013-4439 | | 2013-11-05 | Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key. | |
CVE-2013-4438 | | 2013-11-05 | Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not… | |
CVE-2013-4437 | | 2013-11-05 | Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp." | |
CVE-2013-4436 | | 2013-11-05 | The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have uns… |