High severity7.5NVD Advisory· Published Oct 24, 2017· Updated May 13, 2026

CVE-2017-14696

Description

SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
saltPyPI	< 2016.3.8	2016.3.8
saltPyPI	>= 2016.11.0, < 2016.11.8	2016.11.8
saltPyPI	>= 2017.7.0, < 2017.7.2	2017.7.2

Affected products

Saltstack/Salt15 versions
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*range: <=2016.3.7
- cpe:2.3:a:saltstack:salt:2016.11:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.6:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.7:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2017.7.1:*:*:*:*:*:*:*

Patches

5f8b5e1a0f23

Do not allow IDs with null bytes in decoded payloads

https://github.com/saltstack/saltErik JohnsonAug 25, 2017via ghsa

commit

3 files changed · +25 −0

salt/crypt.py+3 −0 modified

@@ -607,6 +607,9 @@ def sign_in(self, timeout=60, safe=True, tries=1, channel=None):
                 raise tornado.gen.Return('retry')
             else:
                 raise SaltClientError('Attempt to authenticate with the salt master failed with timeout error')
+        if not isinstance(payload, dict):
+            log.error('Sign-in attempt failed: %s', payload)
+            raise tornado.gen.Return(False)
         if 'load' in payload:
             if 'ret' in payload['load']:
                 if not payload['load']['ret']:

salt/transport/tcp.py+11 −0 modified

@@ -623,6 +623,17 @@ def handle_message(self, stream, header, payload):
                     'payload and load must be a dict', header=header))
                 raise tornado.gen.Return()
 
+            try:
+                id_ = payload['load'].get('id', '')
+                if '\0' in id_:
+                    log.error('Payload contains an id with a null byte: %s', payload)
+                    stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                    raise tornado.gen.Return()
+            except TypeError:
+                log.error('Payload contains non-string id: %s', payload)
+                stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+                raise tornado.gen.Return()
+
             # intercept the "_auth" commands, since the main daemon shouldn't know
             # anything about our key auth
             if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':

salt/transport/zeromq.py+11 −0 modified

@@ -596,6 +596,17 @@ def handle_message(self, stream, payload):
             stream.send(self.serial.dumps('payload and load must be a dict'))
             raise tornado.gen.Return()
 
+        try:
+            id_ = payload['load'].get('id', '')
+            if '\0' in id_:
+                log.error('Payload contains an id with a null byte: %s', payload)
+                stream.send(self.serial.dumps('bad load: id contains a null byte'))
+                raise tornado.gen.Return()
+        except TypeError:
+            log.error('Payload contains non-string id: %s', payload)
+            stream.send(self.serial.dumps('bad load: id {0} is not a string'.format(id_)))
+            raise tornado.gen.Return()
+
         # intercept the "_auth" commands, since the main daemon shouldn't know
         # anything about our key auth
         if payload['enc'] == 'clear' and payload.get('load', {}).get('cmd') == '_auth':

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5bnvdIssue TrackingPatchThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2017-10/msg00073.htmlnvdIssue TrackingRelease NotesThird Party AdvisoryWEB
lists.opensuse.org/opensuse-updates/2017-10/msg00075.htmlnvdIssue TrackingRelease NotesThird Party AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingRelease NotesThird Party AdvisoryWEB
docs.saltstack.com/en/latest/topics/releases/2016.11.8.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
docs.saltstack.com/en/latest/topics/releases/2016.3.8.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
docs.saltstack.com/en/latest/topics/releases/2017.7.2.htmlnvdIssue TrackingRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-657p-cj5r-mjrhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-14696ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-37.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000