CVE-2017-12791
CRITICALSaltStack Salt < 2016.11.7 and 2017.7.0-2017.7.1 - Directory Traversal in Minion ID Validation
Title source: llmDescription
Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.
References (6)
Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/42944
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872399
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100384
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1482006
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html
Scores
CVSS v3
9.8
EPSS
0.0463
EPSS Percentile
90.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (4)
pypi/salt
0 - 2016.11.7PyPI
pypi/salt
2017.7.0 - 2017.7.1PyPI
saltstack/salt
2017.7.0
saltstack/salt
< 2016.11.6
Published
Aug 23, 2017
Tracked Since
Feb 18, 2026