Saltstack

saltstack

56 CVEs • 5 products

Products (5)

Click to collapse

Toggle

CVEs (56)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-12791 1Saltstack 1Salt May 13, 2026 Aug 23, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion...Show more Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.Show less
CVE-2015-6941 1Saltstack 1Salt 2015 May 13, 2026 Aug 9, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
CVE-2017-8109 1Saltstack 1Salt May 13, 2026 Apr 25, 2017 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (cli...Show more The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).Show less
CVE-2015-1839 2Fedoraproject Saltstack 2Fedora Salt May 13, 2026 Apr 13, 2017 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
CVE-2015-1838 2Fedoraproject Saltstack 2Fedora Salt May 13, 2026 Apr 13, 2017 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
CVE-2016-9639 1Saltstack 1Salt May 13, 2026 Feb 7, 2017 N/A· v4 9.1 CRITICAL· v3 7.5 HIGH· v2 Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
CVE-2016-3176 1Saltstack 1Salt May 13, 2026 Jan 31, 2017 N/A· v4 5.6 MEDIUM· v3 4.3 MEDIUM· v2 Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to Loc...Show more Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.Show less
CVE-2015-8034 1Saltstack 1Salt May 13, 2026 Jan 30, 2017 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
CVE-2016-1866 2Opensuse Saltstack 2Leap Salt May 6, 2026 Apr 12, 2016 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.
CVE-2014-3563 1Saltstack 1Salt May 6, 2026 Aug 22, 2014 N/A· v4 N/A· v3 7.2 HIGH· v2 Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud...Show more Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.Show less
CVE-2013-6617 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.
CVE-2013-4439 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 4.9 MEDIUM· v2 Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
CVE-2013-4438 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already...Show more Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.Show less
CVE-2013-4437 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."
CVE-2013-4436 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.
CVE-2013-4435 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.