CVE-2018-15751

CWE-287 — Improper Authentication CWE-20 — Improper Input Validation13 documents7 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 28.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt

Timeline

PublishedOct 24

Latest updateMay 13

Description

SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDsaltstack/salt2018.3.0 — 2018.3.3+1

▶PyPIsalt2017.7.0 — 2017.7.8+3

▶Ubuntusalt< 2015.8.8+ds-1ubuntu0.1+1

🔴Vulnerability Details

GHSA

SaltStack Salt Remote command execution and incorrect access control when using salt-api↗2022-05-13

▶

OSV

SaltStack Salt Remote command execution and incorrect access control when using salt-api↗2022-05-13

▶

OSV

salt vulnerabilities↗2020-08-13

▶

CVEList

CVE-2018-15751: SaltStack Salt before 2017↗2018-10-24

▶

OSV

CVE-2018-15751: SaltStack Salt before 2017↗2018-10-24

▶

📋Vendor Advisories

Ubuntu

Salt vulnerabilities↗2021-03-15

▶

Ubuntu

Salt vulnerabilities↗2020-08-13

▶

Red Hat

salt: Remote command execution and incorrect access control when using salt-api↗2018-10-25

▶

💬Community

Bugzilla

CVE-2018-15751 heketi: salt: Remote command execution and incorrect access control when using salt-api [fedora-all]↗2018-10-31

▶

Bugzilla

CVE-2018-15751 salt: Remote command execution and incorrect access control when using salt-api [epel-all]↗2018-10-31

▶

Bugzilla

CVE-2018-15751 salt: Remote command execution and incorrect access control when using salt-api↗2018-10-31

▶

Bugzilla

CVE-2018-15751 salt: Remote command execution and incorrect access control when using salt-api [fedora-all]↗2018-10-31

▶