VIR Vulnerability Intelligence Relay

CVE-2016-1866

high
Published 2016-04-12 · Modified 2023-11-08
CVSS v3
8.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
6.8
VIR risk
8.1

Description

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.

Predictions

Exploit likelihood
88%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-1866.html

OS impact
OSVersionStatusFixed in
suse slesaffected
suse suse42.1affected

Package impact
EcosystemPackageVulnerableFixed
python PyPIsalt>=2015.8.0rc1,<2015.8.42015.8.4
python PyPIsalt>=2015.8,<2015.8.42015.8.4

Application impact
VendorProductVersionsFixed
saltstacksalt2015.8.0
saltstacksalt2015.8.1
saltstacksalt2015.8.2
saltstacksalt2015.8.3

References

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.