Main Vulnerability Database Vulnerabilities #VU39762

#VU39762 Improper Authentication in Salt - CVE-2016-3176

Published: January 31, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39762

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3176

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Salt

Software vendor:
SaltStack

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

Remediation

Install update from vendor's website.

External links

https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html