| CVE-2017-14696 |
AVG-438 |
Medium |
Yes |
Denial of service |
It has been discovered that salt incorrectly handled IDs with null bytes in decoded payloads. A specially crafted authentication request will crash the... |
| CVE-2017-14695 |
AVG-438 |
Medium |
Yes |
Directory traversal |
It has been discovered that maliciously crafted minion IDs can cause unwanted directory traversals on the salt-master. The flaw is within the minion id... |
| CVE-2017-12791 |
AVG-383 |
Medium |
Yes |
Directory traversal |
It has been discovered that maliciously crafted minion IDs can cause unwanted directory traversals on the salt-master. The flaw is within the minion id... |
| CVE-2017-5200 |
AVG-159 |
High |
Yes |
Arbitrary command execution |
Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt... |
| CVE-2017-5192 |
AVG-159 |
High |
No |
Arbitrary code execution |
The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This... |