Medium severity6.3NVD Advisory· Published Oct 10, 2017· Updated May 13, 2026
CVE-2015-6918
CVE-2015-6918
Description
salt before 2015.5.5 leaks git usernames and passwords to the log.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2015.5.5 | 2015.5.5 |
Patches
128aa9b105804Merge pull request #26486 from thusoy/git-confidential-auth
2 files changed · +32 −3
salt/modules/git.py+14 −3 modified@@ -6,6 +6,7 @@ # Import python libs import os +import re import subprocess # Import salt libs @@ -62,6 +63,7 @@ def _git_run(cmd, cwd=None, runas=None, identity=None, **kwargs): result = __salt__['cmd.run_all'](cmd, cwd=cwd, runas=runas, + output_loglevel='quiet', env=env, python_shell=False, **kwargs) @@ -73,7 +75,8 @@ def _git_run(cmd, cwd=None, runas=None, identity=None, **kwargs): if result['retcode'] == 0: return result['stdout'] else: - stderrs.append(result['stderr']) + stderr = _remove_sensitive_data(result['stderr']) + stderrs.append(stderr) # we've tried all IDs and still haven't passed, so error out raise CommandExecutionError("\n\n".join(stderrs)) @@ -82,6 +85,7 @@ def _git_run(cmd, cwd=None, runas=None, identity=None, **kwargs): result = __salt__['cmd.run_all'](cmd, cwd=cwd, runas=runas, + output_loglevel='quiet', env=env, python_shell=False, **kwargs) @@ -90,9 +94,16 @@ def _git_run(cmd, cwd=None, runas=None, identity=None, **kwargs): if retcode == 0: return result['stdout'] else: + stderr = _remove_sensitive_data(result['stderr']) raise CommandExecutionError( - 'Command {0!r} failed. Stderr: {1!r}'.format(cmd, - result['stderr'])) + 'Command {0!r} failed. Stderr: {1!r}'.format(cmd, stderr)) + + +def _remove_sensitive_data(sensitive_output): + ''' + Remove HTTP user and password. + ''' + return re.sub('(https?)://.*@', r'\1://<redacted>@', sensitive_output) def _git_getdir(cwd, user=None):
tests/unit/modules/git_test.py+18 −0 modified@@ -37,6 +37,24 @@ def test_http_basic_authentication(self): result = git._add_http_basic_auth(**kwargs) self.assertEqual(result, expected) + def test_https_user_and_pw_is_confidential(self): + sensitive_outputs = ( + 'https://deadbeaf@example.com', + 'https://user:pw@example.com', + ) + sanitized = 'https://<redacted>@example.com' + for sensitive_output in sensitive_outputs: + result = git._remove_sensitive_data(sensitive_output) + self.assertEqual(result, sanitized) + + def test_git_ssh_user_is_not_treated_as_sensitive(self): + not_sensitive_outputs = ( + 'ssh://user@example.com', + ) + for not_sensitive_output in not_sensitive_outputs: + result = git._remove_sensitive_data(not_sensitive_output) + self.assertEqual(result, not_sensitive_output) + if __name__ == '__main__': from integration import run_tests
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryVDB EntryWEB
- github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495anvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-q2x6-8gfj-hjxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6918ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-70.yamlghsaWEB
- github.com/saltstack/salt/issues/26484ghsaWEB
- github.com/saltstack/salt/pull/26486ghsaWEB
News mentions
0No linked articles in our index yet.