Critical severity9.8NVD Advisory· Published Oct 24, 2017· Updated May 13, 2026
CVE-2017-14695
CVE-2017-14695
Description
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2016.3.8 | 2016.3.8 |
saltPyPI | >= 2016.11.0, < 2016.11.8 | 2016.11.8 |
saltPyPI | >= 2017.7.0, < 2017.7.2 | 2017.7.2 |
Affected products
15cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*range: <=2016.3.7
- cpe:2.3:a:saltstack:salt:2016.11:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.7:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.1:*:*:*:*:*:*:*
Patches
180d90307b07bDon't allow path separators in minion ID
2 files changed · +14 −11
salt/utils/verify.py+4 −11 modified@@ -480,22 +480,15 @@ def clean_path(root, path, subdir=False): return '' -def clean_id(id_): - ''' - Returns if the passed id is clean. - ''' - if re.search(r'\.\.\{sep}'.format(sep=os.sep), id_): - return False - return True - - def valid_id(opts, id_): ''' Returns if the passed id is valid ''' try: - return bool(clean_path(opts['pki_dir'], id_)) and clean_id(id_) - except (AttributeError, KeyError, TypeError) as e: + if any(x in id_ for x in ('/', '\\', '\0')): + return False + return bool(clean_path(opts['pki_dir'], id_)) + except (AttributeError, KeyError, TypeError): return False
tests/unit/utils/test_verify.py+10 −0 modified@@ -58,6 +58,16 @@ def test_valid_id_exception_handler(self): opts = {'pki_dir': '/tmp/whatever'} self.assertFalse(valid_id(opts, None)) + def test_valid_id_pathsep(self): + ''' + Path separators in id should make it invalid + ''' + opts = {'pki_dir': '/tmp/whatever'} + # We have to test both path separators because os.path.normpath will + # convert forward slashes to backslashes on Windows. + for pathsep in ('/', '\\'): + self.assertFalse(valid_id(opts, pathsep.join(('..', 'foobar')))) + def test_zmq_verify(self): self.assertTrue(zmq_version())
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6dnvdIssue TrackingPatchThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2017-10/msg00073.htmlnvdIssue TrackingRelease NotesThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2017-10/msg00075.htmlnvdIssue TrackingRelease NotesThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingRelease NotesThird Party AdvisoryWEB
- docs.saltstack.com/en/latest/topics/releases/2016.11.8.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
- docs.saltstack.com/en/latest/topics/releases/2016.3.8.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
- docs.saltstack.com/en/latest/topics/releases/2017.7.2.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
- github.com/advisories/GHSA-j6gj-pg62-x8j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-14695ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-36.yamlghsaWEB
News mentions
0No linked articles in our index yet.