Vulnerability Description
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
CVSS Score
7.8
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saltstack | Salt | 2016.11 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/98095Third Party AdvisoryVDB Entry
- https://bugzilla.suse.com/show_bug.cgi?id=1035912Issue TrackingPatch
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.htmlPatchRelease NotesVendor Advisory
- https://github.com/saltstack/salt/issues/40075Issue TrackingPatchThird Party Advisory
- https://github.com/saltstack/salt/pull/40609Issue TrackingPatchThird Party Advisory
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd0050Issue TrackingPatchThird Party Advisory
- http://www.securityfocus.com/bid/98095Third Party AdvisoryVDB Entry
- https://bugzilla.suse.com/show_bug.cgi?id=1035912Issue TrackingPatch
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.htmlPatchRelease NotesVendor Advisory
- https://github.com/saltstack/salt/issues/40075Issue TrackingPatchThird Party Advisory
- https://github.com/saltstack/salt/pull/40609Issue TrackingPatchThird Party Advisory
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd0050Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2017-8109?
CVE-2017-8109 is a vulnerability with a CVSS score of 7.8 (HIGH). The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on con...
How severe is CVE-2017-8109?
CVE-2017-8109 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-8109?
Check the references section above for vendor advisories and patch information. Affected products include: Saltstack Salt.