VYPR

PyPI package

salt

pkg:pypi/salt

Vulnerabilities (66)

  • CVE-2019-17361Jan 17, 2020
    affected < 2019.2.3fixed 2019.2.3

    In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

  • CVE-2013-2228Dec 3, 2019
    affected < 0.15.1fixed 0.15.1

    SaltStack RSA Key Generation allows remote users to decrypt communications

  • CVE-2019-1010259Jul 18, 2019
    affected >= 2018.3.0, < 2018.3.4fixed 2018.3.4

    SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: sp

  • CVE-2018-15751Oct 24, 2018
    affected >= 2017.7.0, < 2017.7.8fixed 2017.7.8

    SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

  • CVE-2018-15750Oct 24, 2018
    affected >= 2017.7.0, < 2017.7.8fixed 2017.7.8

    Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

  • CVE-2017-7893CriApr 23, 2018
    affected < 2016.3.6fixed 2016.3.6

    In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.

  • CVE-2017-14696HigOct 24, 2017
    affected < 2016.3.8fixed 2016.3.8

    SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.

  • CVE-2017-14695CriOct 24, 2017
    affected < 2016.3.8fixed 2016.3.8

    Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability ex

  • CVE-2015-6918MedOct 10, 2017
    affected < 2015.5.5fixed 2015.5.5

    salt before 2015.5.5 leaks git usernames and passwords to the log.

  • CVE-2017-5200HigSep 26, 2017
    affected < 2015.8.13fixed 2015.8.13

    Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

  • CVE-2017-5192HigSep 26, 2017
    affected < 2015.8.13fixed 2015.8.13

    When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.

  • CVE-2015-4017HigAug 25, 2017
    affected < 2014.7.6fixed 2014.7.6

    Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.

  • CVE-2015-6941CriAug 9, 2017
    affected >= 2015.5, < 2015.5.6fixed 2015.5.6

    win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.

  • CVE-2017-8109HigApr 25, 2017
    affected >= 2016.11, < 2016.11.4fixed 2016.11.4

    The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

  • CVE-2015-1839MedApr 13, 2017
    affected < 2014.7.4fixed 2014.7.4

    modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

  • CVE-2015-1838MedApr 13, 2017
    affected < 2014.7.4fixed 2014.7.4

    modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

  • CVE-2016-9639CriFeb 7, 2017
    affected < 2015.8.11fixed 2015.8.11

    Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.

  • CVE-2016-3176MedJan 31, 2017
    affected < 2015.5.10fixed 2015.5.10

    Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

  • CVE-2015-8034LowJan 30, 2017
    affected < 2015.8.3fixed 2015.8.3

    The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.

  • CVE-2016-1866HigApr 12, 2016
    affected >= 2015.8.0rc1, < 2015.8.4fixed 2015.8.4

    Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.