Vulnerabilities > Saltstack > Salt
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-02-07 | CVE-2016-9639 | Improper Access Control vulnerability in Saltstack Salt Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. | 7.5 |
| 2017-01-31 | CVE-2016-3176 | Improper Authentication vulnerability in Saltstack Salt Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. | 4.3 |
| 2017-01-30 | CVE-2015-8034 | Information Exposure vulnerability in Saltstack Salt The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file. | 2.1 |
| 2016-04-12 | CVE-2016-1866 | Improper Access Control vulnerability in multiple products Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream. | 6.8 |
| 2014-08-22 | CVE-2014-3563 | Link Following vulnerability in Saltstack Salt Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud. | 7.2 |
| 2013-11-05 | CVE-2013-6617 | Permissions, Privileges, and Access Controls vulnerability in Saltstack Salt The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges. | 10.0 |
| 2013-11-05 | CVE-2013-4439 | Permissions, Privileges, and Access Controls vulnerability in Saltstack Salt Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key. | 4.9 |
| 2013-11-05 | CVE-2013-4438 | Code Injection vulnerability in Saltstack Salt Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. | 7.5 |
| 2013-11-05 | CVE-2013-4437 | Insecure Temporary File Handling vulnerability in Saltstack Salt 0.17.0 Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp." | 10.0 |
| 2013-11-05 | CVE-2013-4436 | Improper Input Validation vulnerability in Saltstack Salt 0.17.0 The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack. | 9.3 |