CVE-2017-14695 — Path Traversal in Salt

CWE-22 — Path Traversal9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 43.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt

Timeline

PublishedOct 24

Latest updateMay 17

Description

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶PyPIsaltstack/salt2016.11.0 — 2016.11.8+5

▶NVDsaltstack/salt2016.3.7+11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

SaltStack Salt Directory traversal vulnerability in minion id validation↗2022-05-17

▶

GHSA

SaltStack Salt Directory traversal vulnerability in minion id validation↗2022-05-17

▶

OSV

CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016↗2017-10-24

▶

CVEList

CVE-2017-14695: Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016↗2017-10-24

▶

📋Vendor Advisories

Ubuntu

Salt vulnerabilities↗2021-03-15

▶

Red Hat

salt: Directory traversal in minion id validation↗2017-09-26

▶

💬Community

Bugzilla

CVE-2017-14695 CVE-2017-14696 salt: various flaws [epel-all]↗2017-10-11

▶

Bugzilla

CVE-2017-14695 salt: Directory traversal in minion id validation↗2017-10-11

▶