FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

salt -- multiple vulnerabilities

Affected packages
py27-salt < 2017.7.8
2018.3.0 <= py27-salt < 2018.3.3
py32-salt < 2017.7.8
2018.3.0 <= py32-salt < 2018.3.3
py33-salt < 2017.7.8
2018.3.0 <= py33-salt < 2018.3.3
py34-salt < 2017.7.8
2018.3.0 <= py34-salt < 2018.3.3
py35-salt < 2017.7.8
2018.3.0 <= py35-salt < 2018.3.3
py36-salt < 2017.7.8
2018.3.0 <= py36-salt < 2018.3.3
py37-salt < 2017.7.8
2018.3.0 <= py37-salt < 2018.3.3

Details

VuXML ID 4f7c6af3-6a2c-4ead-8453-04e509688d45
Discovery 2018-10-24
Entry 2018-10-27

SaltStack reports:

Remote command execution and incorrect access control when using salt-api.

Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.

References

CVE Name CVE-2018-15750
CVE Name CVE-2018-15751
URL https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html
URL https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html