SaltStack RSA Key Generation allows remote users to decrypt communications
Max CVSS
8.1
EPSS Score
3.86%
Published
2019-12-03
Updated
2019-12-13
Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.
Max CVSS
6.0
EPSS Score
0.16%
Published
2013-11-05
Updated
2013-11-07
The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.
Max CVSS
9.3
EPSS Score
0.19%
Published
2013-11-05
Updated
2013-11-07
Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."
Max CVSS
10.0
EPSS Score
0.21%
Published
2013-11-05
Updated
2013-11-07
Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.
Max CVSS
7.5
EPSS Score
0.63%
Published
2013-11-05
Updated
2013-11-07
Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
Max CVSS
4.9
EPSS Score
0.14%
Published
2013-11-05
Updated
2013-11-07
The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.
Max CVSS
10.0
EPSS Score
0.38%
Published
2013-11-05
Updated
2013-11-06
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.
Max CVSS
7.2
EPSS Score
0.04%
Published
2014-08-22
Updated
2017-08-29
modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
Max CVSS
5.3
EPSS Score
0.06%
Published
2017-04-13
Updated
2017-04-19
modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
Max CVSS
5.3
EPSS Score
0.07%
Published
2017-04-13
Updated
2017-04-19
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
Max CVSS
7.5
EPSS Score
0.17%
Published
2017-08-25
Updated
2018-08-13
salt before 2015.5.5 leaks git usernames and passwords to the log.
Max CVSS
6.3
EPSS Score
0.06%
Published
2017-10-10
Updated
2017-11-05
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
Max CVSS
9.8
EPSS Score
0.51%
Published
2017-08-09
Updated
2017-08-21
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
Max CVSS
3.3
EPSS Score
0.04%
Published
2017-01-30
Updated
2017-03-02
Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.
Max CVSS
8.1
EPSS Score
0.16%
Published
2016-04-12
Updated
2018-10-30
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
Max CVSS
5.6
EPSS Score
0.10%
Published
2017-01-31
Updated
2017-02-07
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
Max CVSS
9.1
EPSS Score
0.28%
Published
2017-02-07
Updated
2017-02-09
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
Max CVSS
8.8
EPSS Score
0.21%
Published
2017-09-26
Updated
2017-10-06
Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.
Max CVSS
9.0
EPSS Score
0.23%
Published
2017-09-26
Updated
2019-10-03
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
Max CVSS
9.8
EPSS Score
0.22%
Published
2018-04-23
Updated
2019-10-03
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
Max CVSS
7.8
EPSS Score
0.04%
Published
2017-04-25
Updated
2017-05-05
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
Max CVSS
9.8
EPSS Score
0.54%
Published
2017-08-23
Updated
2017-08-29
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.
Max CVSS
9.8
EPSS Score
0.75%
Published
2017-10-24
Updated
2017-11-14
SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
Max CVSS
7.5
EPSS Score
3.38%
Published
2017-10-24
Updated
2017-11-15
Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
Max CVSS
5.3
EPSS Score
0.50%
Published
2018-10-24
Updated
2020-08-20
55 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!