CVE-2017-8109

EUVD-2017-0126
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
saltstacksalt
2016.11
saltstacksalt
2016.11.0
saltstacksalt
2016.11.0:rc1
saltstacksalt
2016.11.0:rc2
saltstacksalt
2016.11.1
saltstacksalt
2016.11.2
saltstacksalt
2016.11.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
salt
artful
ignored
bionic
not-affected
cosmic
not-affected
precise
dne
trusty
not-affected
xenial
not-affected
yakkety
ignored
zesty
ignored
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/98095
https://bugzilla.suse.com/show_bug.cgi?id=1035912
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
https://github.com/saltstack/salt/issues/40075
https://github.com/saltstack/salt/pull/40609
https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
http://www.securityfocus.com/bid/98095
https://bugzilla.suse.com/show_bug.cgi?id=1035912
https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
https://github.com/saltstack/salt/issues/40075
https://github.com/saltstack/salt/pull/40609
https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658