What is the severity of CVE-2017-14695?

CVE-2017-14695 is classified as a medium-severity vulnerability due to its potential for unauthorized access.

How do I fix CVE-2017-14695?

To remediate CVE-2017-14695, upgrade to Salt version 2016.3.8, 2016.11.8, or 2017.7.2 or later.

Who is affected by CVE-2017-14695?

CVE-2017-14695 affects SaltStack Salt versions prior to 2016.3.8, 2016.11.8, and 2017.7.2.

What does CVE-2017-14695 involve?

CVE-2017-14695 is a directory traversal vulnerability that allows remote minions to authenticate with crafted minion IDs.

Can CVE-2017-14695 be exploited remotely?

Yes, CVE-2017-14695 can be exploited remotely by unauthorized minions submitting manipulated IDs.

Vulnerability/
CVE-2017-14695

critical

9.8

CWE

11/10/2017

24/10/2017

17/5/2022

21/11/2024

CVE-2017-14695: Path Traversal

First published: Wed Oct 11 2017(Updated: )

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-12791.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
SaltStack Salt	<=2016.3.7
SaltStack Salt	=2016.11
SaltStack Salt	=2016.11.0
SaltStack Salt	=2016.11.1
SaltStack Salt	=2016.11.1-rc1
SaltStack Salt	=2016.11.1-rc2
SaltStack Salt	=2016.11.2
SaltStack Salt	=2016.11.3
SaltStack Salt	=2016.11.4
SaltStack Salt	=2016.11.5
SaltStack Salt	=2016.11.6
SaltStack Salt	=2016.11.7
SaltStack Salt	=2017.7.0
SaltStack Salt	=2017.7.0-rc1
SaltStack Salt	=2017.7.1
redhat/salt	<2016.3.8	2016.3.8
redhat/salt	<2016.11.8	2016.11.8
redhat/salt	<2017.7.2	2017.7.2
pip/salt	>=2017.7.0<2017.7.2	2017.7.2
pip/salt	>=2016.11.0<2016.11.8	2016.11.8
pip/salt	<2016.3.8	2016.3.8
debian/salt

Remedy

https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-14695?
CVE-2017-14695 is classified as a medium-severity vulnerability due to its potential for unauthorized access.
How do I fix CVE-2017-14695?
To remediate CVE-2017-14695, upgrade to Salt version 2016.3.8, 2016.11.8, or 2017.7.2 or later.
Who is affected by CVE-2017-14695?
CVE-2017-14695 affects SaltStack Salt versions prior to 2016.3.8, 2016.11.8, and 2017.7.2.
What does CVE-2017-14695 involve?
CVE-2017-14695 is a directory traversal vulnerability that allows remote minions to authenticate with crafted minion IDs.
Can CVE-2017-14695 be exploited remotely?
Yes, CVE-2017-14695 can be exploited remotely by unauthorized minions submitting manipulated IDs.

collector/nvd-index
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
agent/remedy
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2017-14695
agent/software-canonical-lookup
agent/severity
collector/mitre-cve
source/MITRE
collector/security-tracker-debian
source/Debian
collector/usn-cve
source/Ubuntu
agent/softwarecombine
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-j6gj-pg62-x8j6
agent/references
agent/event
collector/github-advisory
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
agent/tags
agent/source
vendor/saltstack
canonical/saltstack salt
version/saltstack salt/2016.3.7
version/saltstack salt/2016.11
version/saltstack salt/2016.11.0
version/saltstack salt/2016.11.1
version/saltstack salt/2016.11.1-rc1
version/saltstack salt/2016.11.1-rc2
version/saltstack salt/2016.11.2
version/saltstack salt/2016.11.3
version/saltstack salt/2016.11.4
version/saltstack salt/2016.11.5
version/saltstack salt/2016.11.6
version/saltstack salt/2016.11.7
version/saltstack salt/2017.7.0
version/saltstack salt/2017.7.0-rc1
version/saltstack salt/2017.7.1
package-manager/redhat
package-manager/debian
package-manager/pip