CVE-2013-4438: Code Injection
First published: Tue Nov 05 2013(Updated: )
Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SaltStack Salt | <=0.17.0 | |
| SaltStack Salt | =0.6.0 | |
| SaltStack Salt | =0.7.0 | |
| SaltStack Salt | =0.8.0 | |
| SaltStack Salt | =0.8.7 | |
| SaltStack Salt | =0.8.8 | |
| SaltStack Salt | =0.8.9 | |
| SaltStack Salt | =0.9.0 | |
| SaltStack Salt | =0.9.2 | |
| SaltStack Salt | =0.9.3 | |
| SaltStack Salt | =0.9.4 | |
| SaltStack Salt | =0.9.5 | |
| SaltStack Salt | =0.9.6 | |
| SaltStack Salt | =0.9.7 | |
| SaltStack Salt | =0.9.8 | |
| SaltStack Salt | =0.9.9 | |
| SaltStack Salt | =0.10.0 | |
| SaltStack Salt | =0.10.2 | |
| SaltStack Salt | =0.10.3 | |
| SaltStack Salt | =0.10.4 | |
| SaltStack Salt | =0.10.5 | |
| SaltStack Salt | =0.11.0 | |
| SaltStack Salt | =0.12.0 | |
| SaltStack Salt | =0.13.0 | |
| SaltStack Salt | =0.14.0 | |
| SaltStack Salt | =0.15.0 | |
| SaltStack Salt | =0.15.1 | |
| SaltStack Salt | =0.16.0 | |
| SaltStack Salt | =0.16.2 | |
| SaltStack Salt | =0.16.3 | |
| SaltStack Salt | =0.16.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-4438?
CVE-2013-4438 is classified as a potential security risk due to its ability to allow remote attackers to execute arbitrary YAML code.
How do I fix CVE-2013-4438?
To address CVE-2013-4438, upgrade SaltStack to version 0.17.1 or later.
What versions of SaltStack are affected by CVE-2013-4438?
CVE-2013-4438 affects SaltStack versions prior to 0.17.1, including versions 0.6.0 through 0.16.4.
What type of attack can CVE-2013-4438 facilitate?
CVE-2013-4438 can facilitate remote code execution through unsafe processing of YAML files.
Is CVE-2013-4438 confirmed as a vulnerability by the vendor?
The vendor has stated that CVE-2013-4438 may not be a vulnerability as the YAML to be loaded is considered safe.
- collector/nvd-index
- agent/softwarecombine
- agent/type
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/remedy
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- vendor/saltstack
- canonical/saltstack salt
- version/saltstack salt/0.17.0
- version/saltstack salt/0.6.0
- version/saltstack salt/0.7.0
- version/saltstack salt/0.8.0
- version/saltstack salt/0.8.7
- version/saltstack salt/0.8.8
- version/saltstack salt/0.8.9
- version/saltstack salt/0.9.0
- version/saltstack salt/0.9.2
- version/saltstack salt/0.9.3
- version/saltstack salt/0.9.4
- version/saltstack salt/0.9.5
- version/saltstack salt/0.9.6
- version/saltstack salt/0.9.7
- version/saltstack salt/0.9.8
- version/saltstack salt/0.9.9
- version/saltstack salt/0.10.0
- version/saltstack salt/0.10.2
- version/saltstack salt/0.10.3
- version/saltstack salt/0.10.4
- version/saltstack salt/0.10.5
- version/saltstack salt/0.11.0
- version/saltstack salt/0.12.0
- version/saltstack salt/0.13.0
- version/saltstack salt/0.14.0
- version/saltstack salt/0.15.0
- version/saltstack salt/0.15.1
- version/saltstack salt/0.16.0
- version/saltstack salt/0.16.2
- version/saltstack salt/0.16.3
- version/saltstack salt/0.16.4