CVE-2017-12791

CRITICAL

SaltStack Salt < 2016.11.7 and 2017.7.0-2017.7.1 - Directory Traversal in Minion ID Validation

Title source: llm
STIX 2.1

Description

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/42944
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872399
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100384
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1482006
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html

Scores

CVSS v3 9.8
EPSS 0.0463
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (4)
pypi/salt 0 - 2016.11.7PyPI
pypi/salt 2017.7.0 - 2017.7.1PyPI
saltstack/salt 2017.7.0
saltstack/salt < 2016.11.6
Published Aug 23, 2017
Tracked Since Feb 18, 2026