CVE-2017-8109

LOW

Description

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

References

http://www.securityfocus.com/bid/98095

https://bugzilla.suse.com/show_bug.cgi?id=1035912

https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html

https://github.com/saltstack/salt/issues/40075

https://github.com/saltstack/salt/pull/40609

https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658

Details

Source: MITRE

Published: 2017-04-25

Updated: 2017-05-05

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 2.1

Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH