VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 24, 2018· Updated Aug 5, 2024

CVE-2018-15751

CVE-2018-15751

Description

SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow unauthenticated remote attackers to execute arbitrary commands via salt-api.

Vulnerability

The vulnerability exists in the salt-api (netapi) component of SaltStack Salt. Versions before 2017.7.8 and 2018.3.x before 2018.3.3 are affected [1][2]. The bug allows remote attackers to bypass authentication and execute arbitrary commands. The exact mechanism is not detailed in the references, but it is described as "Remote command execution and incorrect access control when using salt-api" [1][2].

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the salt-api endpoint without requiring any prior authentication [3]. The attacker must have network access to the salt-api service. No user interaction or special privileges are needed. The steps involve sending malicious API calls that bypass authentication checks.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the salt-api host with the privileges of the Salt process [4]. This can lead to full compromise of the system, including data exfiltration, installation of malware, or denial of service. The impact is high as it affects confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Salt versions 2017.7.8 and 2018.3.3 [1][2]. Users should upgrade to these versions or later. For systems that cannot be immediately upgraded, restricting network access to the salt-api endpoint can reduce exposure. The Ubuntu security notice [4] also provides updates for affected Ubuntu releases. No workaround is mentioned beyond upgrading.

References
  1. salt/doc/topics/releases/2017.7.8.rst at 8f9405cf8e6f7d7776d5000841c886dec6d96250 · saltstack/salt
  2. salt/doc/topics/releases/2018.3.3.rst at 8f9405cf8e6f7d7776d5000841c886dec6d96250 · saltstack/salt
  3. NVD - CVE-2018-15751
  4. USN-4459-1: Salt vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
saltPyPI
>= 2017.7.0, < 2017.7.82017.7.8
saltPyPI
>= 2018.3.0, < 2018.3.32018.3.3
saltPyPI
>= 2016.11.0, < 2016.11.102016.11.10

Affected products

39

Patches

2
d520f9acc16a

Add tests with filname in token data

https://github.com/saltstack/saltCh3LLAug 27, 2018via osv
commit
2 files changed · +28 1
  • salt/netapi/rest_cherrypy/app.py+1 1 modified
    @@ -2089,7 +2089,7 @@ def _is_valid_token(self, auth_token):
         # than hex, this will raise a ValueError.
         try:
             int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
             return False
 
         # First check if the given token is in our session table; if so it's a
  • tests/integration/netapi/rest_cherrypy/test_app.py+27 0 modified
    @@ -2,6 +2,7 @@
 
 # Import python libs
 from __future__ import absolute_import
+import os
 import json
 
 # Import salt libs
@@ -163,6 +164,32 @@ def test_run_wrong_token(self):
         })
         assert response.status == '401 Unauthorized'
 
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
 
 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):
ad0d83c6a8f3

Add tests with filname in token data

https://github.com/saltstack/saltCh3LLAug 27, 2018via osv
commit
2 files changed · +28 1
  • salt/netapi/rest_cherrypy/app.py+1 1 modified
    @@ -2178,7 +2178,7 @@ def _is_valid_token(self, auth_token):
         # than hex, this will raise a ValueError.
         try:
             int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
             return False
 
         # First check if the given token is in our session table; if so it's a
  • tests/integration/netapi/rest_cherrypy/test_app.py+27 0 modified
    @@ -2,6 +2,7 @@
 
 # Import python libs
 from __future__ import absolute_import
+import os
 
 # Import salt libs
 import salt.utils.json
@@ -163,6 +164,32 @@ def test_run_wrong_token(self):
         })
         assert response.status == '401 Unauthorized'
 
+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
 
 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.