CVE-2017-8109
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
| Software | From | Fixed in |
|---|---|---|
| saltstack / salt | 2016.11.2 | 2016.11.2.x |
| saltstack / salt | 2016.11.1 | 2016.11.1.x |
| saltstack / salt | 2016.11.0 | 2016.11.0.x |
| saltstack / salt | 2016.11.0-rc2 | 2016.11.0-rc2.x |
| saltstack / salt | 2016.11 | 2016.11.x |
| saltstack / salt | 2016.11.3 | 2016.11.3.x |
| saltstack / salt | 2016.11.0-rc1 | 2016.11.0-rc1.x |
- http://www.securityfocus.com/bid/98095
- https://bugzilla.suse.com/show_bug.cgi?id=1035912
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
- https://github.com/saltstack/salt/issues/40075
- https://github.com/saltstack/salt/pull/40609
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime