CVE-2015-6941
published 2017-08-09CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
PriorityP339critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.22%
80.5th percentile
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | >= 0 < c0689e32154c41f59840ae10ffc5fbfa30618710 | c0689e32154c41f59840ae10ffc5fbfa30618710 |
| saltstack | salt | >= 0 < 0.17.5+ds-1ubuntu0.1~esm1 | 0.17.5+ds-1ubuntu0.1~esm1 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm1 | 2015.8.8+ds-1ubuntu0.1+esm1 |
| saltstack | salt | >= 2015.5 < 2015.5.6 | 2015.5.6 |
| saltstack | salt | >= 2015.8 < 2015.8.1 | 2015.8.1 |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
| saltstack | salt_2015 | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.2HIGH
vendor_redhat9.8CRITICAL
vendor_ubuntu7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
salt password information leaked in debug logs
osv·2022-05-17
CVE-2015-6941 [CRITICAL] salt password information leaked in debug logs
salt password information leaked in debug logs
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
GHSA
salt password information leaked in debug logs
ghsa·2022-05-17
CVE-2015-6941 [CRITICAL] CWE-200 salt password information leaked in debug logs
salt password information leaked in debug logs
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
OSV
salt vulnerabilities
osv·2021-03-15·CVSS 7.2
CVE-2014-3563 [HIGH] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt allowed remote attackers to write to
arbitrary files via a special crafted file. An attacker could use this
vulnerability to cause a DoS or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM. (CVE-2014-3563)
Andreas Stieger discovered that Salt exposed git usernames and passwords
in log files. An attacker could use this issue to retrieve sensitive
information. This issue only affected Ubuntu 14.04 ESM. (CVE-2015-6918).
It was discovered that Salt exposed password authentication
credentials in log files. An attacker could use this issue to retrieve
sensitive information. This issue only affected Ubuntu 14.04 ESM.
(CVE-2015-6941)
It was discovered that Salt allowed remote attackers to write to
arbitrary files via a
OSV
CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015
osv·2017-08-09
CVE-2015-6941 CVE-2015-6941: win_useradd, salt-cloud and the Linode driver in salt 2015
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 7.2
CVE-2015-6918 [HIGH] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt allowed remote attackers to write to
arbitrary files via a special crafted file. An attacker could use this
vulnerability to cause a DoS or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM. (CVE-2014-3563)
Andreas Stieger discovered that Salt exposed git usernames and passwords
in log files. An attacker could use this issue to retrieve sensitive
information. This issue only affected Ubuntu 14.04 ESM. (CVE-2015-6918).
It was discovered that Salt exposed password authentication
credentials in log files. An attacker could use this issue to retrieve
sensitive information. This issue only affected Ubuntu 14.04 ESM.
(CVE-2015-6941)
It was discovered that Sal
Red Hat
salt: win_useradd module and salt-cloud display passwords in debug log
vendor_redhat·2015-09-12·CVSS 9.8
CVE-2015-6941 [CRITICAL] CWE-532 salt: win_useradd module and salt-cloud display passwords in debug log
salt: win_useradd module and salt-cloud display passwords in debug log
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
Package: salt (Red Hat Ceph Storage 1.2) - Will not fix
Package: salt (Red Hat Ceph Storage 1.3) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
bugzilla·2015-10-19·CVSS 9.8
CVE-2015-6941 [CRITICAL] CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log
bugzilla·2015-10-19·CVSS 9.8
CVE-2015-6941 [CRITICAL] CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log
A vulnerability in win_useradd, salt-cloud and Linode driver were found:
* win_useradd returned data including the password of the newly created user
* salt-cloud debug output contained win_password and sudo_password authentication credentials
* Linode driver displayed authentication credentials in debug logs
Upstream patch:
https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710
External reference:
https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html
https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.html
Discussion:
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1273068]
Affects: epel-all [bug 1273070]
---
Created salt-clou
Bugzilla
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
bugzilla·2015-10-19·CVSS 9.8
CVE-2015-6941 [CRITICAL] CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
bugzilla·2015-10-19·CVSS 9.8
CVE-2015-6941 [CRITICAL] CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
CVE-2015-6941 salt-cloud: salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
bugzilla·2015-10-19·CVSS 9.8
CVE-2015-6941 [CRITICAL] CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
https://bugzilla.redhat.com/show_bug.cgi?id=1273066https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2015.8.1.htmlhttps://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710https://bugzilla.redhat.com/show_bug.cgi?id=1273066https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2015.8.1.htmlhttps://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710
2017-08-09
Published