CVE-2014-3563
Published: 22 August 2014
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.
From the Ubuntu Security Team
It was discovered that the salt allows remote attackers to write to arbitrary files via a special crafted file. An attacker could use this vulnerability to cause a DoS or possibly execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
salt Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2014.1.10+ds-1)
|
bionic |
Not vulnerable
(2014.1.10+ds-1)
|
|
cosmic |
Not vulnerable
(2014.1.10+ds-1)
|
|
disco |
Not vulnerable
(2014.1.10+ds-1)
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Released
(0.17.5+ds-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(2014.1.10+ds-1)
|
|
utopic |
Not vulnerable
(2014.1.10+ds-1)
|
|
vivid |
Not vulnerable
(2014.1.10+ds-1)
|
|
wily |
Not vulnerable
(2014.1.10+ds-1)
|
|
xenial |
Not vulnerable
(2014.1.10+ds-1)
|
|
yakkety |
Not vulnerable
(2014.1.10+ds-1)
|
|
zesty |
Not vulnerable
(2014.1.10+ds-1)
|
|
This vulnerability is mitigated in part by the use of symlink restrictions in Ubuntu. |
References
- http://docs.saltstack.com/en/latest/topics/releases/2014.1.10.html
- http://xforce.iss.net/xforce/xfdb/95392
- http://seclists.org/oss-sec/2014/q3/428
- https://github.com/saltstack/salt/commit/7d4c470f91fcb43f505bfd220605fede1041437c
- https://github.com/saltstack/salt/commit/2b8953adcbf1527bb330b12c9d59f1753ecaf78d
- https://www.cve.org/CVERecord?id=CVE-2014-3563
- NVD
- Launchpad
- Debian