VDB
PYSEC-2017-36
PYSEC-2017-36
PUBLISHED
CVSS 8.699999809265137 HIGH
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
Risk Scores
CVSS 4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | salt | 0, 2016.11, 2017.7 |
Timeline
- Oct 24, 2017 CVE Published
- Apr 22, 2024 CVE Updated
References
- https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html url
- https://docs.saltstack.com/en/latest/topics/releases/2016.3.8.html url
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.8.html url
- https://bugzilla.redhat.com/show_bug.cgi?id=1500748 report
- http://lists.opensuse.org/opensuse-updates/2017-10/msg00075.html url
- http://lists.opensuse.org/opensuse-updates/2017-10/msg00073.html url
- https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d fix