Описание
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| salt | fixed | 2015.8.8+ds-1 | package | |
| salt | no-dsa | jessie | package |
Примечания
external_auth seems not usable by default under Jessie due to the
permissions on /var/run/salt/master.
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html
https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
https://github.com/saltstack/salt/pull/31826/commits/d73f70ebb289142e4f692359fe741a54f5d2ad65
Fixed in 2015.5.10/2015.8.8 upstream
EPSS
Связанные уязвимости
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
Salt Insecure configuration of PAM external authentication service
EPSS