PYSEC-2017-82

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/salt/PYSEC-2017-82.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2017-82

Aliases

CVE-2017-8109
GHSA-xcx4-5wq7-g5g7

Published

2017-04-25T17:59:00Z

Modified

2024-04-22T22:41:52.065479Z

Summary

[none]

Details

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

References

https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
https://github.com/saltstack/salt/pull/40609
https://github.com/saltstack/salt/issues/40075
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
https://bugzilla.suse.com/show_bug.cgi?id=1035912
http://www.securityfocus.com/bid/98095

Affected packages

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2016.11

Fixed

2016.11.4

Affected versions

2016.*

2016.11.0

2016.11.1

2016.11.2

2016.11.3