Saltstack: >> Salt >> 2015.8.3 Security Vulnerabilities
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
CVSS Score
9.8
EPSS Score
0.014
Published
2017-08-23
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVSS Score
9.1
EPSS Score
0.003
Published
2017-02-07
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
CVSS Score
5.6
EPSS Score
0.002
Published
2017-01-31
Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.
CVSS Score
8.1
EPSS Score
0.009
Published
2016-04-12
Page 4