CVE-2015-4017
high
CVSS v3
7.5
CVSS v2
5.0
VIR risk
7.5
Description
Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://docs.saltstack.com/en/latest/topics/releases/2014.7.6.html
Vendor advisory: cve@mitre.org — https://bugzilla.redhat.com/show_bug.cgi?id=1222960
Vendor advisory: cve@mitre.org — http://www.openwall.com/lists/oss-security/2015/05/19/2
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | salt | <2014.7.6 | 2014.7.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| saltstack | salt | 2014.7.5 | |
References
- http://www.openwall.com/lists/oss-security/2015/05/19/2
- https://bugzilla.redhat.com/show_bug.cgi?id=1222960
- https://docs.saltstack.com/en/latest/topics/releases/2014.7.6.html
- https://groups.google.com/forum/#%21topic/salt-users/8Kv1bytGD6c
- https://nvd.nist.gov/vuln/detail/CVE-2015-4017
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-31.yaml
- https://github.com/saltstack/salt
- https://groups.google.com/forum/#!topic/salt-users/8Kv1bytGD6c
CWEs
CWE-295
Verify integrity in audit chain (admin only). AS-IS.