CVE-2015-8034
published 2017-01-30CVE-2015-8034: The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the…
PriorityP47low3.3CVSS 3.0
AVLACLPRLUINSUCLINAN
EPSS
0.41%
32.5th percentile
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | <= 2015.8.2 | — |
| saltstack | salt | >= 0 < 2015.8.3 | 2015.8.3 |
| saltstack | salt | >= 0 < 0.17.5+ds-1ubuntu0.1~esm5 | 0.17.5+ds-1ubuntu0.1~esm5 |
CVSS provenance
nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv3.3LOW
vendor_redhat3.3LOW
vendor_ubuntu3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 3.3
CVE-2016-3176 [LOW] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
Zach Malone discovered that Salt did not properly handle permissions to cache
data. A local attacker could possibly use this issue to obtain sensitive
information. (CVE-2015-8034)
Dylan Frese discovered that Salt incorrectly allowed users to specify PAM
service. An attacker could possibly use this issue to bypass authentication.
(CVE-2016-3176)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
salt: Information leak from state.sls cache data stored as world-readable
vendor_redhat·2015-10-30·CVSS 3.3
CVE-2015-8034 [LOW] CWE-200 salt: Information leak from state.sls cache data stored as world-readable
salt: Information leak from state.sls cache data stored as world-readable
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
Package: calamari-server (Red Hat Ceph Storage 1.2) - Will not fix
Package: salt (Red Hat Ceph Storage 1.2) - Will not fix
Package: calamari-server (Red Hat Ceph Storage 1.3) - Will not fix
Package: salt (Red Hat Ceph Storage 1.3) - Will not fix
OSV
salt vulnerabilities
osv·2026-04-07·CVSS 3.3
CVE-2015-8034 [LOW] salt vulnerabilities
salt vulnerabilities
Zach Malone discovered that Salt did not properly handle permissions to cache
data. A local attacker could possibly use this issue to obtain sensitive
information. (CVE-2015-8034)
Dylan Frese discovered that Salt incorrectly allowed users to specify PAM
service. An attacker could possibly use this issue to bypass authentication.
(CVE-2016-3176)
GHSA
Salt uses weak permissions on the cache data
ghsa·2022-05-17
CVE-2015-8034 [LOW] CWE-200 Salt uses weak permissions on the cache data
Salt uses weak permissions on the cache data
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
OSV
Salt uses weak permissions on the cache data
osv·2022-05-17
CVE-2015-8034 [LOW] Salt uses weak permissions on the cache data
Salt uses weak permissions on the cache data
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
OSV
CVE-2015-8034: The state
osv·2017-01-30
CVE-2015-8034 CVE-2015-8034: The state
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [fedora-all]
bugzilla·2015-12-07·CVSS 3.3
CVE-2015-8034 [LOW] CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [fedora-all]
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable
bugzilla·2015-12-07·CVSS 3.3
CVE-2015-8034 [LOW] CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable
It was found that state.sls function stores state run cache on the minion onto the disk with incorrect permissions, making it world-readable. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files.
Upstream bug report:
https://github.com/saltstack/salt/issues/28455
Upstream patch:
https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741
Discussion:
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1289110]
Affects: epel-all [bug 1289111]
---
The 2015.5.9 builds currently in testing include this patch already.
---
Actually, the 2015.5.8 builds in stable also include this patch, so I'm going to close th
Bugzilla
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [epel-all]
bugzilla·2015-12-07·CVSS 3.3
CVE-2015-8034 [LOW] CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [epel-all]
CVE-2015-8034 salt: Information leak from state.sls cache data stored as world-readable [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
2017-01-30
Published