CVE-2017-8109

HIGH

SaltStack Salt 2016.11-2016.11.4 - Exposure of Sensitive Information via salt-ssh Minion Configuration

Title source: llm
STIX 2.1

Description

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/issues/40075
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/40609
Issue Tracking, Patch x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1035912
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98095
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html

Scores

CVSS v3 7.8
EPSS 0.0043
EPSS Percentile 34.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (6)
pypi/salt 2016.11 - 2016.11.4PyPI
saltstack/salt 2016.11
saltstack/salt 2016.11.0 (3 CPE variants)
saltstack/salt 2016.11.1
saltstack/salt 2016.11.2
saltstack/salt 2016.11.3
Published Apr 25, 2017
Tracked Since Feb 18, 2026