Your submission was sent successfully! Close


Published: 23 August 2017

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.

From the Ubuntu security team

It was discovered that the salt allows remote attackers to write to arbitrary files via a special crafted file. An attacker could use this vulnerability to cause a DoS or possibly execute arbitrary code.



CVSS 3 base score: 9.8


Package Release Status
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
cosmic Not vulnerable
disco Not vulnerable
eoan Not vulnerable
focal Does not exist

groovy Not vulnerable

hirsute Not vulnerable

impish Not vulnerable

jammy Not vulnerable

precise Does not exist

trusty Does not exist
(trusty was needed)
Released (2016.11.2+ds-1)
xenial Ignored
(end of standard support, was needed)
zesty Ignored
(reached end-of-life)