CVE-2013-4436

Published: Nov 5, 2013Modified: Apr 29, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.

Affected (1)

Products: Saltstack: Salt

Saltstack

1 product

Salt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Version 0.17.0

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

http://docs.saltstack.com/topics/releases/0.17.1.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.openwall.com/lists/oss-security/2013/10/18/3

Source: secalert@redhat.com

http://docs.saltstack.com/topics/releases/0.17.1.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://www.openwall.com/lists/oss-security/2013/10/18/3

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.