Arbitrary Code Execution Affecting salt package, versions [,2015.8.12) [2016.3, 2016.3.5) [2016.11, 2016.11.2)


Severity

0.0
high
0
10

    Threat Intelligence

    EPSS
    0.21% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-SALT-40452
  • published 7 Nov 2017
  • disclosed 20 Mar 2017
  • credit Unknown

Overview

salt is a Portable, distributed, remote execution and configuration management system.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high
Expand this section

Red Hat

7.5 high