CVE-2016-3176 — Improper Authentication in Salt

CWE-287 — Improper Authentication12 documents7 sources

Severity

5.6MEDIUMNVD

OSV3.3

EPSS

0.2%

top 62.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt

Timeline

PublishedJan 31

Latest updateApr 7

Description

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages3 packages

▶PyPIsaltstack/salt2015.8 — 2015.8.8+1

▶Ubuntusaltstack/salt< 0.17.5+ds-1ubuntu0.1~esm5

▶NVDsaltstack/salt2015.5.9+7

🔴Vulnerability Details

OSV

salt vulnerabilities↗2026-04-07

▶

GHSA

Salt Insecure configuration of PAM external authentication service↗2022-05-17

▶

OSV

Salt Insecure configuration of PAM external authentication service↗2022-05-17

▶

CVEList

CVE-2016-3176: Salt before 2015↗2017-01-31

▶

OSV

CVE-2016-3176: Salt before 2015↗2017-01-31

▶

📋Vendor Advisories

Ubuntu

Salt vulnerabilities↗2026-04-07

▶

Red Hat

salt: insecure configuration of PAM external authentication service↗2016-03-23

▶

💬Community

Bugzilla

CVE-2016-3176 salt: insecure configuration of PAM external authentication service↗2016-03-24

▶

Bugzilla

CVE-2016-3176 salt: insecure configuration of PAM external authentication service [epel-7]↗2016-03-24

▶

Bugzilla

CVE-2016-3176 salt: insecure configuration of PAM external authentication service [fedora-all]↗2016-03-24

▶

Bugzilla

CVE-2016-3176 salt: insecure configuration of PAM external authentication service [epel-6]↗2016-03-24

▶