{"id":"USN-4769-1","summary":"salt vulnerabilities","details":"It was discovered that Salt allowed remote attackers to write to\narbitrary files via a special crafted file. An attacker could use this\nvulnerability to cause a DoS or possibly execute arbitrary code. This\nissue only affected Ubuntu 14.04 ESM. (CVE-2014-3563)\n\nAndreas Stieger discovered that Salt exposed git usernames and passwords\nin log files. An attacker could use this issue to retrieve sensitive\ninformation. This issue only affected Ubuntu 14.04 ESM. (CVE-2015-6918).\n\nIt was discovered that Salt exposed password authentication\ncredentials in log files. An attacker could use this issue to retrieve\nsensitive information. This issue only affected Ubuntu 14.04 ESM.\n(CVE-2015-6941)\n\nIt was discovered that Salt allowed remote attackers to write to\narbitrary files via a special crafted file. An attacker could use this \nissue to cause a DoS or possibly execute arbitrary code. (CVE-2017-12791,\nCVE-2017-14695, CVE-2017-14696)\n\nIt was discovered that Salt allowed remote attackers to determine which\nfiles exist on the server. An attacker could use this issue to extract\nsensitive information. This issue only affected Ubuntu 16.04 ESM.\n(CVE-2018-15750)\n\nIt was discovered that Salt allowed users to bypass authentication. An\nattacker could use this issue to extract sensitive information, execute\narbitrary code or crash the server. This issue only affected Ubuntu 16.04\nESM. (CVE-2018-15751)","modified":"2026-02-10T04:42:05Z","published":"2021-03-15T20:11:16Z","related":["UBUNTU-CVE-2014-3563","UBUNTU-CVE-2015-6918","UBUNTU-CVE-2015-6941","UBUNTU-CVE-2017-12791","UBUNTU-CVE-2017-14695","UBUNTU-CVE-2017-14696","UBUNTU-CVE-2018-15750","UBUNTU-CVE-2018-15751"],"upstream":["CVE-2014-3563","CVE-2015-6918","CVE-2015-6941","CVE-2017-12791","CVE-2017-14695","CVE-2017-14696","CVE-2018-15750","CVE-2018-15751","UBUNTU-CVE-2014-3563","UBUNTU-CVE-2015-6918","UBUNTU-CVE-2015-6941","UBUNTU-CVE-2017-12791","UBUNTU-CVE-2017-14695","UBUNTU-CVE-2017-14696","UBUNTU-CVE-2018-15750","UBUNTU-CVE-2018-15751"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4769-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3563"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-6918"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-6941"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-12791"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-14695"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-14696"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-15750"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-15751"}],"affected":[{"package":{"name":"salt","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/salt@0.17.5+ds-1ubuntu0.1~esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.17.5+ds-1ubuntu0.1~esm1"}]}],"versions":["0.16.0-1","0.16.4-2","0.17.1+dfsg-1","0.17.2-1","0.17.2-2","0.17.2-3","0.17.4-1","0.17.4-2","0.17.5-1","0.17.5+ds-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_version":"0.17.5+ds-1ubuntu0.1~esm1","binary_name":"salt-common"},{"binary_version":"0.17.5+ds-1ubuntu0.1~esm1","binary_name":"salt-master"},{"binary_version":"0.17.5+ds-1ubuntu0.1~esm1","binary_name":"salt-minion"},{"binary_version":"0.17.5+ds-1ubuntu0.1~esm1","binary_name":"salt-ssh"},{"binary_version":"0.17.5+ds-1ubuntu0.1~esm1","binary_name":"salt-syndic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4769-1.json","cves_map":{"cves":[{"id":"CVE-2014-3563","severity":[{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2015-6918","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2015-6941","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-12791","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-14695","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-14696","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:14.04:LTS"}}},{"package":{"name":"salt","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/salt@2015.8.8+ds-1ubuntu0.1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2015.8.8+ds-1ubuntu0.1+esm1"}]}],"versions":["2015.5.3+ds-1","2015.8.1+ds-2","2015.8.3+ds-1","2015.8.3+ds-2","2015.8.3+ds-3","2015.8.5+ds-1","2015.8.7+ds-1","2015.8.8+ds-1","2015.8.8+ds-1ubuntu0.1~esm1","2015.8.8+ds-1ubuntu0.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-api"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-cloud"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-common"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-master"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-minion"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-proxy"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-ssh"},{"binary_version":"2015.8.8+ds-1ubuntu0.1+esm1","binary_name":"salt-syndic"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4769-1.json","cves_map":{"cves":[{"id":"CVE-2017-12791","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-14695","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-14696","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-15750","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-15751","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}}],"schema_version":"1.7.3"}