SaltStack Salt arbitrary command execution in Salt-api via ssh_client
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Oct 21, 2024
Package
Affected versions
< 2015.8.13
>= 2016.3.0, < 2016.3.5
>= 2016.11.0, < 2016.11.2
Patched versions
2015.8.13
2016.3.5
2016.11.2
Description
Published by the National Vulnerability Database
Sep 26, 2017
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Apr 22, 2024
Last updated
Oct 21, 2024
Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.
References