mailing list archives
CVE request for saltstack minion identity usurpation
From: Michael Scherer <misc () zarb org>
Date: Sat, 12 Oct 2013 00:26:09 +0200
While looking for saltstack issues on github, i stumbled on this pull
It seems that saltstack, a client/server configuration system ( like
puppet, chef, cfengine ) allowed to have any minions ( agent on the
server to be configured ) to masquerade itself as any others agents when
requesting stuff from the master ( ie, main server ).
While I didn't fully check, this would permit a compromised server to
request data from another server, thus leading to potential informations
leak ( like passwword, etc ).
Can a CVE be assigned, and I will pass it to upstream on the bug
- CVE request for saltstack minion identity usurpation Michael Scherer (Oct 11)