Main Vulnerability Database SB2017013106

SB2017013106 - Improper Authentication in SaltStack Salt

Published: January 31, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017013106

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authentication (CVE-ID: CVE-2016-3176)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

Remediation

Install update from vendor's website.

References

https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html