This issue allowed for a user with limited privileges to embed executions inside of routines to execute routines that should be restricted. This applies to users using external auth or client ACL and opening up specific routines. Be advised that these patches address the direct issue. Additional commits have been applied to help mitigate this issue from resurfacing. CVE === CVE-2013-4435 Affected Versions ================= 0.15.0 - 0.17.0 Patches ======= https://github.com/saltstack/salt/commit/6d8ef68b605fd63c36bb8ed96122a75ad2e80269 https://github.com/saltstack/salt/commit/ebdef37b7e5d2b95a01d34b211c61c61da67e46a https://github.com/saltstack/salt/commit/7f190ff890e47cdd591d9d7cefa5126574660824 https://github.com/saltstack/salt/commit/8e5afe59cef6743fe5dbd510dcf463dbdfca1ced https://github.com/saltstack/salt/commit/aca78f314481082862e96d4f0c1b75fa382bb885 https://github.com/saltstack/salt/commit/6a9752cdb1e8df2c9505ea910434c79d132eb1e2 https://github.com/saltstack/salt/commit/b73677435ba54ecfc93c1c2d840a7f9ba6f53410 https://github.com/saltstack/salt/commit/07972eb0a6f985749a55d8d4a2e471596591c80d https://github.com/saltstack/salt/commit/1e3f197726aa13ac5c3f2416000089f477f489b5 Found By ======== Feth Arezki, of Majerti Additional URLs =============== http://thread.gmane.org/gmane.comp.security.oss.general/11284/focus=11312 We have 4 affected versions in tree: v0.16.{0,2,3,4} v0.17.1 which fixes this vulnerability was released on 18th October 2013 but isn't yet in tree. Reproducible: Always
CVE-2013-4435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4435): Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.
0.17.2 in tree. @maintainer: please clean up.
Old versions cleaned up or unkeyworded. I am keeping 0.16.4 in the tree (unkeyworded) for the moment as we are still using it locally.
Maintainer(s), Thank you for your work! No stable versions - No GLSA