Security restrictions bypass in Salt - CVE-2017-7893
Published: April 27, 2018
Vulnerability identifier: #VU12278
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-7893
CWE-ID: CWE-264
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: SaltStack
Affected software:
Salt
Salt
Detailed vulnerability description
The vulnerability allows an adjacent unauthenticated attacker to bypass security restrictions on the target system.
The weakness exists due to an unspecified condition related to the relationship between a salt-master server and salt-minions clients. An adjacent attacker can bypass security restrictions and impersonate a salt-masterserver in the target environment.
The weakness exists due to an unspecified condition related to the relationship between a salt-master server and salt-minions clients. An adjacent attacker can bypass security restrictions and impersonate a salt-masterserver in the target environment.
How to mitigate CVE-2017-7893
Update to version 2016.3.6 or later.