[3.7] salt: Directory traversal vulnerability on salt-master via crafted minion IDs (CVE-2017-12791)
A flaw in minion id validation was found which could allow certain
minions to authenticate to a master
despite not having the correct credentials. To exploit the
vulnerability, an attacker must create a salt-minion
with an ID containing characters that will cause a directory traversal.
Fixed In Version:
salt 2016.3.7, salt 2016.11.7, salt 2017.7.1
References:
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html
Patch:
https://github.com/saltstack/salt/pull/42944/commits/63823f8c3ed02e7809fc8e61972d289bf233a9ed
(from redmine: issue id 7751, created on 2017-08-24, closed on 2017-08-30)
- Relations:
- parent #7750 (closed)
- Changesets:
- Revision d64012db by Natanael Copa on 2017-08-25T22:42:02Z:
community/salt: security upgrade to 2017.7.1 (CVE-2017-12791)
fixes #7751