ID CVE-2015-6941
Summary win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
References
Vulnerable Configurations
  • SaltStack Salt 2015 8.0
    cpe:2.3:a:saltstack:salt_2015:8.0
  • SaltStack Salt 2015 5.0
    cpe:2.3:a:saltstack:salt_2015:5.0
  • SaltStack Salt 2015 5.1
    cpe:2.3:a:saltstack:salt_2015:5.1
  • SaltStack Salt 2015 5.2
    cpe:2.3:a:saltstack:salt_2015:5.2
  • SaltStack Salt 2015 5.3
    cpe:2.3:a:saltstack:salt_2015:5.3
  • SaltStack Salt 2015 5.4
    cpe:2.3:a:saltstack:salt_2015:5.4
  • SaltStack Salt 2015 5.5
    cpe:2.3:a:saltstack:salt_2015:5.5
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-534
CAPEC
nessus via4
NASL family FreeBSD Local Security Checks
NASL id FREEBSD_PKG_3934CC60F0FA4ECABE09C8BD7AE42871.NASL
description Salt release notes : CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the debug output. Thanks to Andreas Stieger for bringing this to our attention. CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug log Updated the win_useradd module return data to no longer include the password of the newly created user. The password is now replaced with the string XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display win_password and sudo_password authentication credentials. Also updated the Linode driver to no longer display authentication credentials in debug logs. These credentials are now replaced with REDACTED in the debug output.
last seen 2019-02-21
modified 2018-11-10
plugin id 86431
published 2015-10-19
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=86431
title FreeBSD : Salt -- multiple vulnerabilities (3934cc60-f0fa-4eca-be09-c8bd7ae42871)
refmap via4
confirm
Last major update 09-08-2017 - 12:29
Published 09-08-2017 - 12:29
Last modified 21-08-2017 - 11:25
Back to Top