CVE-2017-5192
published 2017-09-26CVE-2017-5192: When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external…
PriorityP353high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
1.68%
74.1th percentile
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | <= 2015.8.12 | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11 < 2016.11.2 | 2016.11.2 |
| saltstack | salt | >= 2016.11.0 < 2016.11.2 | 2016.11.2 |
| saltstack | salt | >= 2016.3 < 2016.3.5 | 2016.3.5 |
| saltstack | salt | >= 2016.3.0 < 2016.3.5 | 2016.3.5 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
osv·2022-05-17
CVE-2017-5192 [HIGH] SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
GHSA
SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
ghsa·2022-05-17
CVE-2017-5192 [HIGH] CWE-287 SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
SaltStack Salt Authentication Bypass when using the local_batch client from salt-api
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
OSV
CVE-2017-5192: When using the local_batch client from salt-api in SaltStack Salt before 2015
osv·2017-09-26
CVE-2017-5192 CVE-2017-5192: When using the local_batch client from salt-api in SaltStack Salt before 2015
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
OSV
CVE-2017-5192: When using the local_batch client from salt-api in SaltStack Salt before 2015
osv·2017-09-26·CVSS 8.8
CVE-2017-5192 [HIGH] CVE-2017-5192: When using the local_batch client from salt-api in SaltStack Salt before 2015
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. The LocalClient.cmd_batch() method client does not accept external_auth credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-api as the root user.
Red Hat
salt: local_batch client external authentication not respected
vendor_redhat·2017-01-20·CVSS 8.8
CVE-2017-5192 [HIGH] salt: local_batch client external authentication not respected
salt: local_batch client external authentication not respected
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
Statement: This issue did not affect the versions of the salt as shipped with Red Hat Ceph Storage 1.3, Red Hat Ceph Storage 2, and Red Hat Storage Console 2 as salt-api and salt-ssh are not shipped with these products.
Mitigation: Disable salt-api for mitigation.
Package: salt (Red Hat Ceph Storage 1.3) - Not affected
Package: salt (Red Hat Ceph Storage 2) - Not affected
Package: salt (Red Hat Storage Console 2) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-5192 salt: local_batch client external authentication not respected
bugzilla·2017-02-01·CVSS 8.8
CVE-2017-5192 [HIGH] CVE-2017-5192 salt: local_batch client external authentication not respected
CVE-2017-5192 salt: local_batch client external authentication not respected
The LocalClient.cmd_batch() method client does not accept external_auth credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-api as the root user.
References:
https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html
Discussion:
Created salt tracking bugs for this issue:
Affects: epel-all [bug 1418350]
---
Mitigation:
Disable salt-api for mitigation.
---
Statement:
This issue did not affect the versions of the salt as shipped with Red Hat Ceph Storage 1.3, Red Hat Ceph Storage 2, and Red Hat Storage Console 2 as salt-api and salt-ssh are not shipped with these pr
Bugzilla
CVE-2017-5192 CVE-2017-5200 CVE-2017-8109 salt: various flaws [epel-all]
bugzilla·2017-02-01·CVSS 8.8
CVE-2017-5192 [HIGH] CVE-2017-5192 CVE-2017-5200 CVE-2017-8109 salt: various flaws [epel-all]
CVE-2017-5192 CVE-2017-5200 CVE-2017-8109 salt: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.htmlhttps://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2016.11.2.htmlhttps://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.htmlhttps://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html
2017-09-26
Published