CVE-2017-8109

NameCVE-2017-8109
DescriptionThe salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)
Debian Bugs861219

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie2014.1.13+ds-3fixed
stretch2016.11.2+ds-1+deb9u2fixed
sid2017.7.4+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsource(unstable)2016.11.5+ds-1low861219
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u2low

Notes

[jessie] - salt <not-affected> (Vulnerable code not present)
https://github.com/saltstack/salt/issues/40075
https://github.com/saltstack/salt/pull/40609
https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151

Search for package or bug name: Reporting problems