Main Vulnerability Database Vulnerabilities #VU32162

#VU32162 Improper Authentication in Salt - CVE-2017-5192

Published: September 26, 2017 / Updated: July 28, 2020

Vulnerability identifier: #VU32162

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-5192

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Salt

Software vendor:
SaltStack

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.

Remediation

Install update from vendor's website.

External links

https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html
https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.html
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html

#VU32162 Improper Authentication in Salt - CVE-2017-5192

Description

Remediation

External links

Please verify you're human