High severity8.8NVD Advisory· Published Sep 26, 2017· Updated May 13, 2026
CVE-2017-5192
CVE-2017-5192
Description
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2015.8.13 | 2015.8.13 |
saltPyPI | >= 2016.3.0, < 2016.3.5 | 2016.3.5 |
saltPyPI | >= 2016.11.0, < 2016.11.2 | 2016.11.2 |
Affected products
9cpe:2.3:a:saltstack:salt:2016.3.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:saltstack:salt:2016.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:2016.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*range: <=2015.8.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.htmlnvdRelease NotesVendor AdvisoryWEB
- docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.htmlnvdRelease NotesVendor AdvisoryWEB
- docs.saltstack.com/en/latest/topics/releases/2016.11.2.htmlnvdRelease NotesVendor AdvisoryWEB
- github.com/advisories/GHSA-f2h7-4f84-8qrmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5192ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-38.yamlghsaWEB
News mentions
0No linked articles in our index yet.