Vulnerability identifier: #VU15544
Vulnerability risk: Low
Exploitation vector: Network
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input processed by the salt-api component. A remote attacker can send a query request that submits malicious input, conduct directory traversal attack and determine what files exist on the system, and this information can be used to conduct further attacks.
The vulnerability has been addressed in the versions 2017.7.8, 2018.3.3.
Vulnerable software versions
Salt: 2017.7.0 - 2017.7.7, 2018.3.0 - 2018.3.2
Fixed software versions
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?