Medium severity5.3NVD Advisory· Published Apr 13, 2017· Updated May 13, 2026

CVE-2015-1838

Description

modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
saltPyPI	< 2014.7.4	2014.7.4

Affected products

Saltstack/Salt
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Range: <=2014.7.3
Fedoraproject/Fedora
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*

Patches

e11298d7155e

Move install.sh to cachedir for serverdensity_device

https://github.com/saltstack/saltColton MyersMar 25, 2015via ghsa

commit

1 file changed · +14 −5

salt/modules/serverdensity_device.py+14 −5 modified

@@ -8,6 +8,8 @@
 import requests
 import json
 import logging
+import os
+import tempfile
 
 from salt.exceptions import CommandExecutionError
 
@@ -216,17 +218,24 @@ def install_agent(agent_key):
 
         salt '*' serverdensity_device.install_agent c2bbdd6689ff46282bdaa07555641498
     '''
-    work_dir = '/tmp/'
+    work_dir = os.path.join(__opts__['cachedir'], 'tmp')
+    if not os.path.isdir(work_dir):
+        os.mkdir(work_dir)
+    install_file = tempfile.NamedTemporaryFile(dir=work_dir,
+                                                   suffix='.sh',
+                                                   delete=False)
+    install_filename = install_file.name
+    install_file.close()
     account_url = get_sd_auth('account_url')
 
     __salt__['cmd.run'](
-        cmd='curl https://www.serverdensity.com/downloads/agent-install.sh -o install.sh',
+        cmd='curl https://www.serverdensity.com/downloads/agent-install.sh -o {0}'.format(install_filename),
         cwd=work_dir
     )
-    __salt__['cmd.run'](cmd='chmod +x install.sh', cwd=work_dir)
+    __salt__['cmd.run'](cmd='chmod +x {0}'.format(install_filename), cwd=work_dir)
 
     return __salt__['cmd.run'](
-        cmd='./install.sh -a {account_url} -k {agent_key}'.format(
-            account_url=account_url, agent_key=agent_key),
+        cmd='./{filename} -a {account_url} -k {agent_key}'.format(
+            filename=install_filename, account_url=account_url, agent_key=agent_key),
         cwd=work_dir
     )

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchWEB
github.com/saltstack/salt/commit/e11298d7155e9982749483ca5538e46090caef9cnvdIssue TrackingPatchThird Party AdvisoryWEB
lists.fedoraproject.org/pipermail/package-announce/2016-January/175568.htmlnvdThird Party AdvisoryWEB
docs.saltstack.com/en/latest/topics/releases/2014.7.4.htmlnvdRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-92pw-mff9-jqgmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-1838ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-29.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000