CVE-2017-14695

saltstack/salt

on github

Published

October 24, 2017

Severity

CVSS v3:

9.8 CRITICAL

CVSS v2:

7.5 HIGH

Description

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

References

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:saltstack:salt:2016.11.2:::::::*	n/a	n/a	2016.11.2
cpe:2.3:a:saltstack:salt:2016.11.1:::::::*	n/a	n/a	2016.11.1
cpe:2.3:a:saltstack:salt:2016.11.0:::::::*	n/a	n/a	2016.11.0
cpe:2.3:a:saltstack:salt:2016.11:::::::*	n/a	n/a	2016.11
cpe:2.3:a:saltstack:salt:2016.11.3:::::::*	n/a	n/a	2016.11.3
cpe:2.3:a:saltstack:salt:2017.7.0:::::::*	n/a	n/a	2017.7.0
cpe:2.3:a:saltstack:salt:2017.7.1:::::::*	n/a	n/a	2017.7.1
cpe:2.3:a:saltstack:salt:2017.7.0:rc1::::::	n/a	n/a	2017.7.0
cpe:2.3:a:saltstack:salt:2016.11.7:::::::*	n/a	n/a	2016.11.7
cpe:2.3:a:saltstack:salt::::::::	n/a	2016.3.7 (including)	*
cpe:2.3:a:saltstack:salt:2016.11.1:rc2::::::	n/a	n/a	2016.11.1
cpe:2.3:a:saltstack:salt:2016.11.6:::::::*	n/a	n/a	2016.11.6
cpe:2.3:a:saltstack:salt:2016.11.5:::::::*	n/a	n/a	2016.11.5
cpe:2.3:a:saltstack:salt:2016.11.4:::::::*	n/a	n/a	2016.11.4
cpe:2.3:a:saltstack:salt:2016.11.1:rc1::::::	n/a	n/a	2016.11.1

External Links

NVD - CVE-2017-14695