CVE-2017-5200

Severity

90%

Complexity

80%

Confidentiality

165%

Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client.

CVSS 3.0 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C).

Overview

Type

SaltStack Salt

First reported 7 years ago

2017-09-26 14:29:00

Last updated 5 years ago

2019-10-03 00:03:00

Affected Software

SaltStack Salt 2016.3.1

2016.3.1

SaltStack Salt 2016.3.2

2016.3.2

SaltStack Salt 2016.3.3

2016.3.3

SaltStack Salt 2016.3.4

2016.3.4

SaltStack Salt 2016.11.1

2016.11.1

SaltStack Salt 2016.11.2

2016.11.2

References

https://docs.saltstack.com/en/2016.3/topics/releases/2015.8.13.html

Release Notes, Vendor Advisory

https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.5.html

Release Notes, Vendor Advisory

https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html

Release Notes, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.