Salt

salt

Vendor: Saltstack • 52 CVEs

CVEs (52)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-35662 3Debian FedoraprojectSaltstack 3Debian Linux FedoraSalt Nov 21, 2024 Feb 27, 2021 N/A· v4 7.4 HIGH· v3 5.8 MEDIUM· v2 In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
CVE-2020-28972 3Debian FedoraprojectSaltstack 3Debian Linux FedoraSalt Nov 21, 2024 Feb 27, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
CVE-2020-28243 3Debian FedoraprojectSaltstack 3Debian Linux FedoraSalt Nov 21, 2024 Feb 27, 2021 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a...Show more An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.Show less
CVE-2020-25592 2Debian Saltstack 2Debian Linux Salt Nov 21, 2024 Nov 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
CVE-2020-17490 2Debian Saltstack 2Debian Linux Salt Nov 21, 2024 Nov 6, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.
CVE-2020-16846 4Debian FedoraprojectOpensuse+1 more 4Debian Linux FedoraLeap+1 more Nov 7, 2025 Nov 6, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
CVE-2020-11652 6Blackberry CanonicalDebian+3 more 6Application Remote Collector Debian LinuxLeap+3 more Nov 7, 2025 Apr 30, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary direc...Show more An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.Show less
CVE-2020-11651 5Canonical DebianOpensuse+2 more 5Application Remote Collector Debian LinuxLeap+2 more Nov 7, 2025 Apr 30, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without...Show more An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.Show less
CVE-2019-17361 4Canonical DebianOpensuse+1 more 4Debian Linux LeapSalt+1 more Nov 21, 2024 Jan 17, 2020 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrar...Show more In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.Show less
CVE-2018-15751 1Saltstack 1Salt Nov 21, 2024 Oct 24, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
CVE-2018-15750 1Saltstack 1Salt Nov 21, 2024 Oct 24, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
CVE-2017-7893 1Saltstack 1Salt Nov 21, 2024 Apr 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
CVE-2017-14696 1Saltstack 1Salt May 13, 2026 Oct 24, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
CVE-2017-14695 1Saltstack 1Salt May 13, 2026 Oct 24, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a...Show more Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.Show less
CVE-2017-5200 1Saltstack 1Salt May 13, 2026 Sep 26, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.
CVE-2017-5192 1Saltstack 1Salt May 13, 2026 Sep 26, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be by...Show more When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.Show less
CVE-2015-4017 1Saltstack 1Salt May 13, 2026 Aug 25, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
CVE-2017-12791 1Saltstack 1Salt May 13, 2026 Aug 23, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion...Show more Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.Show less
CVE-2017-8109 1Saltstack 1Salt May 13, 2026 Apr 25, 2017 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (cli...Show more The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).Show less
CVE-2015-1839 2Fedoraproject Saltstack 2Fedora Salt May 13, 2026 Apr 13, 2017 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.

Previous 123 Next