Main Vulnerability Database Vulnerabilities #VU39762

Improper Authentication in Salt - CVE-2016-3176

Published: January 31, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39762

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3176

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SaltStack

Affected software:
Salt

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

How to mitigate CVE-2016-3176

Install update from vendor's website.

Sources

https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html

Improper Authentication in Salt - CVE-2016-3176

Detailed vulnerability description

How to mitigate CVE-2016-3176

Sources

Please verify you're human