oss-sec mailing list archives
CVE request for saltstack minion identity usurpation
From: Michael Scherer <misc () zarb org>
Date: Sat, 12 Oct 2013 00:26:09 +0200
Hi, While looking for saltstack issues on github, i stumbled on this pull request : https://github.com/saltstack/salt/pull/7356 It seems that saltstack, a client/server configuration system ( like puppet, chef, cfengine ) allowed to have any minions ( agent on the server to be configured ) to masquerade itself as any others agents when requesting stuff from the master ( ie, main server ). While I didn't fully check, this would permit a compromised server to request data from another server, thus leading to potential informations leak ( like passwword, etc ). Can a CVE be assigned, and I will pass it to upstream on the bug report ? -- Michael Scherer
Current thread:
- CVE request for saltstack minion identity usurpation Michael Scherer (Oct 11)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 18)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)
- Re: CVE request for saltstack minion identity usurpation Kurt Seifried (Oct 15)