SaltStack Salt Information Exposure

GHSA-xcx4-5wq7-g5g7 · CVE-2017-8109 · PYSEC-2017-82

Published May 17, 2022 · Modified Oct 26, 2024

Description

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-8109
WEB https://github.com/saltstack/salt/issues/40075
WEB https://github.com/saltstack/salt/pull/40609
WEB https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
WEB https://bugzilla.suse.com/show_bug.cgi?id=1035912
WEB https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-82.yaml
PACKAGE https://github.com/saltstack/salt

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes