Vulnerabilities > Saltstack

DATE CVE VULNERABILITY TITLE RISK
2018-10-24 CVE-2018-15751 Improper Authentication vulnerability in Saltstack Salt
SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
network
low complexity
saltstack CWE-287
7.5
2018-10-24 CVE-2018-15750 Path Traversal vulnerability in Saltstack Salt
Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
network
low complexity
saltstack CWE-22
5.0
2018-04-23 CVE-2017-7893 Unspecified vulnerability in Saltstack Salt
In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
network
low complexity
saltstack
7.5
2017-10-24 CVE-2017-14696 Improper Input Validation vulnerability in Saltstack Salt
SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
network
low complexity
saltstack CWE-20
5.0
2017-10-24 CVE-2017-14695 Path Traversal vulnerability in Saltstack Salt
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
network
low complexity
saltstack CWE-22
7.5
2017-10-10 CVE-2015-6918 Information Exposure vulnerability in Saltstack Salt 2015
salt before 2015.5.5 leaks git usernames and passwords to the log.
network
saltstack CWE-200
3.5
2017-09-26 CVE-2017-5200 Unspecified vulnerability in Saltstack Salt
Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.
network
low complexity
saltstack
critical
9.0
2017-09-26 CVE-2017-5192 Improper Authentication vulnerability in Saltstack Salt
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
network
low complexity
saltstack CWE-287
6.5
2017-08-25 CVE-2015-4017 Improper Certificate Validation vulnerability in Saltstack Salt 2014.7.5
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
network
low complexity
saltstack CWE-295
7.5
2017-08-23 CVE-2017-12791 Path Traversal vulnerability in Saltstack Salt
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
network
low complexity
saltstack CWE-22
7.5