cbcvebase.
CVE-2017-5200
published 2017-09-26

CVE-2017-5200: Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via…

PriorityP353high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
3.21%
86.5th percentile
Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

Affected

14 ranges
VendorProductVersion rangeFixed in
saltstacksalt<= 2015.8.12
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt
saltstacksalt>= 0 < 2015.8.132015.8.13
saltstacksalt>= 2016.11 < 2016.11.22016.11.2
saltstacksalt>= 2016.11.0 < 2016.11.22016.11.2
saltstacksalt>= 2016.3 < 2016.3.52016.3.5
saltstacksalt>= 2016.3.0 < 2016.3.52016.3.5

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.