CVE-2017-5192
HIGHSaltStack Salt < 2015.8.13, 2016.3.x < 2016.3.5, 2016.11.x < 2016.11.2 - Authentication Bypass via local_batch Client
Title source: llmDescription
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html
Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.html
Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html
Scores
CVSS v3
8.8
EPSS
0.0168
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (10)
pypi/salt
0 - 2015.8.13PyPI
saltstack/salt
2016.3.0
saltstack/salt
2016.3.1
saltstack/salt
2016.3.2
saltstack/salt
2016.3.3
saltstack/salt
2016.3.4
saltstack/salt
2016.11.0
saltstack/salt
2016.11.1
saltstack/salt
2016.11.2
saltstack/salt
< 2015.8.12
Published
Sep 26, 2017
Tracked Since
Feb 18, 2026