Vulnerability Details CVE-2017-8109
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.4%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 2.1
References
- http://www.securityfocus.com/bid/98095
- https://bugzilla.suse.com/show_bug.cgi?id=1035912
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
- https://github.com/saltstack/salt/issues/40075
- https://github.com/saltstack/salt/pull/40609
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
- http://www.securityfocus.com/bid/98095
- https://bugzilla.suse.com/show_bug.cgi?id=1035912
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
- https://github.com/saltstack/salt/issues/40075
- https://github.com/saltstack/salt/pull/40609
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
Products affected by CVE-2017-8109
-
cpe:2.3:a:saltstack:salt:2016.11
-
cpe:2.3:a:saltstack:salt:2016.11.0
-
cpe:2.3:a:saltstack:salt:2016.11.1
-
cpe:2.3:a:saltstack:salt:2016.11.2
-
cpe:2.3:a:saltstack:salt:2016.11.3