#VU15544 Path traversal in Salt


Published: 2018-10-25 | Updated: 2018-10-26

Vulnerability identifier: #VU15544

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-15750

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Salt
Web applications / Remote management & hosting panels

Vendor: SaltStack

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input processed by the salt-api component. A remote attacker can send a query request that submits malicious input, conduct directory traversal attack and determine what files exist on the system, and this information can be used to conduct further attacks.

Mitigation
The vulnerability has been addressed in the versions 2017.7.8, 2018.3.3.

Vulnerable software versions

Salt: 2017.7.0 - 2017.7.7, 2018.3.0 - 2018.3.2


Fixed software versions

CPE

External links
http://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html
http://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability