—

PYSEC-2018-29

Details

Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 0 Fixed in: 2017.7.8

Fix pip install --upgrade 'salt>=2017.7.8'

References

https://groups.google.com/d/msg/salt-users/L9xqcJ0UXxs/qgDj42obBQAJ [WEB]
https://groups.google.com/d/msg/salt-users/dimVF7rpphY/jn3Xv3MbBQAJ [WEB]
https://docs.saltstack.com/en/latest/topics/releases/2018.3.3.html [WEB]
https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.8.html [WEB]
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html [WEB]
https://lists.debian.org/debian-lts-announce/2020/07/msg00024.html [WEB]
https://usn.ubuntu.com/4459-1/ [WEB]
https://github.com/advisories/GHSA-jx34-pppm-gjvr [ADVISORY]