Vulnerabilities > Saltstack

DATE CVE VULNERABILITY TITLE RISK
2017-08-09 CVE-2015-6941 DEPRECATED: Information Exposure Through Debug Log Files vulnerability in Saltstack Salt 2015
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
network
low complexity
saltstack CWE-534
5.0
2017-04-25 CVE-2017-8109 Information Exposure vulnerability in Saltstack Salt
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
local
low complexity
saltstack CWE-200
2.1
2017-04-13 CVE-2015-1839 Data Processing Errors vulnerability in multiple products
modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
local
low complexity
saltstack fedoraproject CWE-19
4.6
2017-04-13 CVE-2015-1838 Data Processing Errors vulnerability in multiple products
modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp.
local
low complexity
saltstack fedoraproject CWE-19
4.6
2017-02-07 CVE-2016-9639 Improper Access Control vulnerability in Saltstack Salt
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
network
low complexity
saltstack CWE-284
7.5
2017-01-31 CVE-2016-3176 Improper Authentication vulnerability in Saltstack Salt
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
network
saltstack CWE-287
4.3
2017-01-30 CVE-2015-8034 Information Exposure vulnerability in Saltstack Salt
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
local
low complexity
saltstack CWE-200
2.1
2016-04-12 CVE-2016-1866 Improper Access Control vulnerability in multiple products
Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.
6.8
2014-08-22 CVE-2014-3563 Link Following vulnerability in Saltstack Salt
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.
local
low complexity
saltstack CWE-59
7.2
2013-11-05 CVE-2013-6617 Permissions, Privileges, and Access Controls vulnerability in Saltstack Salt
The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.
network
low complexity
saltstack CWE-264
critical
10.0