salt

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Central system and configuration manager
Version 2017.7.2-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-438 2017.7.1-1 2017.7.2-1 Medium Fixed
AVG-383 2017.7.0-1 2017.7.1-1 Medium Fixed
AVG-159 2016.11.1-1 2016.11.2-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2017-5200 AVG-159 High Yes Arbitrary command execution
Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt...
CVE-2017-5192 AVG-159 High No Arbitrary code execution
The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This...
CVE-2017-14696 AVG-438 Medium Yes Denial of service
It has been discovered that salt incorrectly handled IDs with null bytes in decoded payloads. A specially crafted authentication request will crash the...
CVE-2017-14695 AVG-438 Medium Yes Directory traversal
It has been discovered that maliciously crafted minion IDs can cause unwanted directory traversals on the salt-master. The flaw is within the minion id...
CVE-2017-12791 AVG-383 Medium Yes Directory traversal
It has been discovered that maliciously crafted minion IDs can cause unwanted directory traversals on the salt-master. The flaw is within the minion id...

Advisories

Date Advisory Group Severity Description
09 Oct 2017 ASA-201710-12 AVG-438 Medium multiple issues
23 Aug 2017 ASA-201708-17 AVG-383 Medium directory traversal
31 Jan 2017 ASA-201701-41 AVG-159 High multiple issues