CVE-2017-8109
Publication date 25 April 2017
Last updated 25 August 2025
Ubuntu priority
Description
The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| salt | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.8 · High
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
Other references
- https://github.com/saltstack/salt/issues/40075
- https://github.com/saltstack/salt/pull/40609
- https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151
- https://bugzilla.suse.com/show_bug.cgi?id=1035912
- https://docs.saltstack.com/en/latest/topics/releases/2016.11.4.html
- https://github.com/saltstack/salt/pull/40609/commits/6e34c2b5e5e849302af7ccd00509929c3809c658
- https://www.cve.org/CVERecord?id=CVE-2017-8109