CVE-2017-5192

Published: Sep 26, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.

Affected (9)

Products: Saltstack: Salt

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Up to 2015.8.12
Saltstack Salt	Version 2016.11.0
Saltstack Salt	Version 2016.11.1
Saltstack Salt	Version 2016.11.2
Saltstack Salt	Version 2016.3.0
Saltstack Salt	Version 2016.3.1
Saltstack Salt	Version 2016.3.2
Saltstack Salt	Version 2016.3.3
Saltstack Salt	Version 2016.3.4

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (6)

https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.