CVE-2015-8034
low
CVSS v3
3.3
CVSS v2
2.1
VIR risk
3.3
Description
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
Predictions
Exploit likelihood
34%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-8034.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | salt | <2015.8.3 | 2015.8.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| saltstack | salt | {"endIncluding":"2015.8.2"} | |
References
- https://www.suse.com/security/cve/CVE-2015-8034.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-8034
- https://github.com/saltstack/salt/issues/28455
- https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-32.yaml
- https://github.com/saltstack/salt
- https://web.archive.org/web/20200227192308/http://www.securityfocus.com/bid/96390
- http://www.securityfocus.com/bid/96390
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.