CVE-2017-8109
HIGH severity · CVSS 7.8 · Information disclosure
7.8CVSS HIGH
Summary
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)0%
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://bugzilla.suse.com/show_bug.cgi?id=1035912 ↗
Additional information
- NVD record
- https://bugzilla.suse.com/show_bug.cgi?id=1035912Patch
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.htmlPatch
- https://github.com/saltstack/salt/issues/40075Patch
- https://github.com/saltstack/salt/pull/40609Patch
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658Patch
- http://www.securityfocus.com/bid/98095Advisory