CVE-2017-8109 — Sensitive Information Exposure in Salt

CWE-200 — Sensitive Information Exposure CWE-732 — Incorrect Permission Assignment8 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 85.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt

Timeline

PublishedApr 25

Latest updateMay 17

Description

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶PyPIsaltstack/salt2016.11 — 2016.11.4

▶NVDsaltstack/salt5 versions+4

Patches

Patch: bugzilla.suse.com ↗Patch: docs.saltstack.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

SaltStack Salt Information Exposure↗2022-05-17

▶

OSV

SaltStack Salt Information Exposure↗2022-05-17

▶

OSV

CVE-2017-8109: The salt-ssh minion code in SaltStack Salt 2016↗2017-04-25

▶

CVEList

CVE-2017-8109: The salt-ssh minion code in SaltStack Salt 2016↗2017-04-25

▶

📋Vendor Advisories

Red Hat

salt: Minion code copies over configuration from the Salt Master without adjusting permissions↗2017-04-25

▶

💬Community

Bugzilla

CVE-2017-8109 salt: Minion code copies over configuration from the Salt Master without adjusting permissions↗2017-04-26

▶

Bugzilla

CVE-2017-5192 CVE-2017-5200 CVE-2017-8109 salt: various flaws [epel-all]↗2017-02-01

▶