VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 24, 2018· Updated Aug 5, 2024

CVE-2018-15750

CVE-2018-15750

Description

Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in SaltStack Salt's salt-api allows remote attackers to determine file existence on the server.

Vulnerability

CVE-2018-15750 is a directory traversal vulnerability in the salt-api component of SaltStack Salt. The flaw exists in the /run and /events endpoints, where an attacker can use path traversal sequences to probe for the existence of arbitrary files on the server. Affected versions are Salt before 2017.7.8 and 2018.3.x before 2018.3.3 [1][2].

Exploitation

An attacker needs only network access to the salt-api service. By sending crafted requests to the /run or /events endpoints with directory traversal patterns (e.g., ../), the attacker can determine whether a specific file exists on the server [1][2]. No authentication or special privileges are required.

Impact

Successful exploitation allows an attacker to enumerate files on the server, revealing the presence or absence of sensitive files (e.g., configuration files, SSH keys, or other data). This information disclosure can aid further attacks, but the vulnerability does not directly allow file read, modification, or code execution [1][2][3][4].

Mitigation

The vulnerability is fixed in Salt versions 2017.7.8 and 2018.3.3 [1][2]. Users should upgrade to these or later releases. For Ubuntu systems, the fix is included in USN-4459-1 [4]. No workarounds are documented; upgrading is the recommended action.

References
  1. salt/doc/topics/releases/2017.7.8.rst at 8f9405cf8e6f7d7776d5000841c886dec6d96250 · saltstack/salt
  2. salt/doc/topics/releases/2018.3.3.rst at 8f9405cf8e6f7d7776d5000841c886dec6d96250 · saltstack/salt
  3. NVD - CVE-2018-15750
  4. USN-4459-1: Salt vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
saltPyPI
>= 2017.7.0, < 2017.7.82017.7.8
saltPyPI
>= 2018.3.0, < 2018.3.32018.3.3
saltPyPI
>= 2016.11.0, < 2016.11.102016.11.10

Affected products

39

Patches

2
ad0d83c6a8f3

Add tests with filname in token data

https://github.com/saltstack/saltCh3LLAug 27, 2018via osv
commit
2 files changed · +28 1
  • salt/netapi/rest_cherrypy/app.py+1 1 modified
    @@ -2178,7 +2178,7 @@ def _is_valid_token(self, auth_token):
         # than hex, this will raise a ValueError.
         try:
             int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
             return False
 
         # First check if the given token is in our session table; if so it's a
  • tests/integration/netapi/rest_cherrypy/test_app.py+27 0 modified
    @@ -2,6 +2,7 @@
 
 # Import python libs
 from __future__ import absolute_import
+import os
 
 # Import salt libs
 import salt.utils.json
@@ -163,6 +164,32 @@ def test_run_wrong_token(self):
         })
         assert response.status == '401 Unauthorized'
 
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
 
 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):
d520f9acc16a

Add tests with filname in token data

https://github.com/saltstack/saltCh3LLAug 27, 2018via osv
commit
2 files changed · +28 1
  • salt/netapi/rest_cherrypy/app.py+1 1 modified
    @@ -2089,7 +2089,7 @@ def _is_valid_token(self, auth_token):
         # than hex, this will raise a ValueError.
         try:
             int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
             return False
 
         # First check if the given token is in our session table; if so it's a
  • tests/integration/netapi/rest_cherrypy/test_app.py+27 0 modified
    @@ -2,6 +2,7 @@
 
 # Import python libs
 from __future__ import absolute_import
+import os
 import json
 
 # Import salt libs
@@ -163,6 +164,32 @@ def test_run_wrong_token(self):
         })
         assert response.status == '401 Unauthorized'
 
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
 
 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.