CVE-2015-4017
published 2017-08-25CVE-2015-4017: Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
PriorityP431high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
1.05%
59.9th percentile
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 2014.7.6 | 2014.7.6 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Salt vulnerable to Improper Certificate Validation
osv·2022-05-14
CVE-2015-4017 [HIGH] Salt vulnerable to Improper Certificate Validation
Salt vulnerable to Improper Certificate Validation
Salt before 2014.7.6 does not verify certificates when connecting via the `aliyun`, `proxmox`, and `splunk` modules.
GHSA
Salt vulnerable to Improper Certificate Validation
ghsa·2022-05-14
CVE-2015-4017 [HIGH] CWE-295 Salt vulnerable to Improper Certificate Validation
Salt vulnerable to Improper Certificate Validation
Salt before 2014.7.6 does not verify certificates when connecting via the `aliyun`, `proxmox`, and `splunk` modules.
OSV
CVE-2015-4017: Salt before 2014
osv·2017-08-25
CVE-2015-4017 CVE-2015-4017: Salt before 2014
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
Red Hat
salt: Certificates are not verified when connecting to server with certain modules
vendor_redhat·2015-05-02·CVSS 7.5
CVE-2015-4017 [HIGH] CWE-295 salt: Certificates are not verified when connecting to server with certain modules
salt: Certificates are not verified when connecting to server with certain modules
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
Package: salt (Red Hat Ceph Storage 1.2) - Will not fix
Package: salt (Red Hat Ceph Storage 1.3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [fedora-all]
bugzilla·2015-05-19·CVSS 7.5
CVE-2015-4017 [HIGH] CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [fedora-all]
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [epel-all]
bugzilla·2015-05-19·CVSS 7.5
CVE-2015-4017 [HIGH] CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [epel-all]
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
bugzilla·2015-05-19·CVSS 7.5
CVE-2015-4017 [HIGH] CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
CVE-2015-4017 salt: Certificates are not verified when connecting to server with certain modules
It was found that Salt does not verify the certificate when connecting via the aliyun, proxmox, and splunk modules.
This flaw has been fixed in version 2014.7.6:
https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c
Discussion:
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1222961]
Affects: epel-all [bug 1222962]
---
This fix was part of 2015.5.0, which was packaged on 11 May 2015. Closing.
---
We still want this open for some Red Hat products. Thank you for updating Fedora/EPEL.
---
Why?
---
There are Red Hat products which include this component. They will still be looked at to determine if this issue needs fixing there. We want to keep this open u
http://www.openwall.com/lists/oss-security/2015/05/19/2https://bugzilla.redhat.com/show_bug.cgi?id=1222960https://docs.saltstack.com/en/latest/topics/releases/2014.7.6.htmlhttps://groups.google.com/forum/#%21topic/salt-users/8Kv1bytGD6chttp://www.openwall.com/lists/oss-security/2015/05/19/2https://bugzilla.redhat.com/show_bug.cgi?id=1222960https://docs.saltstack.com/en/latest/topics/releases/2014.7.6.htmlhttps://groups.google.com/forum/#%21topic/salt-users/8Kv1bytGD6c
2017-08-25
Published