CVE-2017-8109
HIGHSaltStack Salt 2016.11-2016.11.4 - Exposure of Sensitive Information via salt-ssh Minion Configuration
Title source: llmDescription
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
References (6)
Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/issues/40075
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/saltstack/salt/pull/40609
Issue Tracking, Patch x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1035912
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98095
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
Scores
CVSS v3
7.8
EPSS
0.0043
EPSS Percentile
34.6%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (6)
pypi/salt
2016.11 - 2016.11.4PyPI
saltstack/salt
2016.11
saltstack/salt
2016.11.0 (3 CPE variants)
saltstack/salt
2016.11.1
saltstack/salt
2016.11.2
saltstack/salt
2016.11.3
Published
Apr 25, 2017
Tracked Since
Feb 18, 2026