CVE-2013-4439
published 2013-11-05CVE-2013-4439: Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
PriorityP427medium4.9CVSS 2.0
AVNACMAuSCPIPAN
EPSS
1.47%
70.6th percentile
Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 0.17.1 | 0.17.1 |
| saltstack | salt | >= 0.15.0 < 0.17.1 | 0.17.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Minion identity not validated in saltstack
ghsa·2022-05-17
CVE-2013-4439 [HIGH] Minion identity not validated in saltstack
Minion identity not validated in saltstack
Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
OSV
Minion identity not validated in saltstack
osv·2022-05-17
CVE-2013-4439 [HIGH] Minion identity not validated in saltstack
Minion identity not validated in saltstack
Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
OSV
CVE-2013-4439: Salt (aka SaltStack) before 0
osv·2013-11-05
CVE-2013-4439 CVE-2013-4439: Salt (aka SaltStack) before 0
Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4439 salt: saltstack minion identity usurpation [epel-all]
bugzilla·2013-10-17·CVSS 4.9
CVE-2013-4439 [MEDIUM] CVE-2013-4439 salt: saltstack minion identity usurpation [epel-all]
CVE-2013-4439 salt: saltstack minion identity usurpation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects
Bugzilla
CVE-2013-4439 salt: saltstack minion identity usurpation [fedora-all]
bugzilla·2013-10-17·CVSS 4.9
CVE-2013-4439 [MEDIUM] CVE-2013-4439 salt: saltstack minion identity usurpation [fedora-all]
CVE-2013-4439 salt: saltstack minion identity usurpation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects mul
Bugzilla
CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-2013-6617 salt: saltstack multiple flaws
bugzilla·2013-10-17·CVSS 6.0
CVE-2013-4435 [MEDIUM] CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-2013-6617 salt: saltstack multiple flaws
CVE-2013-4435 CVE-2013-4436 CVE-2013-4437 CVE-2013-4438 CVE-2013-4439 CVE-2013-6617 salt: saltstack multiple flaws
Saltstack, a client/server configuration system, was found to have allowed any minions to masquerade itself as any others agents when requesting stuff from the master, which could permit a compromised server to request data from another server, which could lead to potential information leak.
References:
http://seclists.org/oss-sec/2013/q4/85
https://github.com/saltstack/salt/pull/7356
Commit:
https://github.com/saltstack/salt/pull/7356/commits
Discussion:
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1020307]
Affects: epel-all [bug 1020308]
---
salt-0.17.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please
http://docs.saltstack.com/topics/releases/0.17.1.htmlhttp://www.openwall.com/lists/oss-security/2013/10/18/3https://github.com/saltstack/salt/pull/7356http://docs.saltstack.com/topics/releases/0.17.1.htmlhttp://www.openwall.com/lists/oss-security/2013/10/18/3https://github.com/saltstack/salt/pull/7356
2013-11-05
Published