CVE-2016-1866 — Improper Access Control in Salt

CWE-284 — Improper Access Control7 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.6%

top 29.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt Opensuse Leap

Timeline

PublishedApr 12

Latest updateMay 14

Description

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶PyPIsaltstack/salt2015.8.0rc1 — 2015.8.4+1

▶NVDsaltstack/salt4 versions+3

▶NVDopensuse/leap42.1

🔴Vulnerability Details

OSV

Salt Improper Access Control↗2022-05-14

▶

GHSA

Salt Improper Access Control↗2022-05-14

▶

CVEList

CVE-2016-1866: Salt 2015↗2016-04-12

▶

OSV

CVE-2016-1866: Salt 2015↗2016-04-12

▶

📋Vendor Advisories

Red Hat

salt: Improper handling of clear messages on the minion↗2016-01-25

▶

💬Community

Bugzilla

CVE-2016-1866 salt: Improper handling of clear messages on the minion↗2016-02-08

▶