Bug 1273066 - (CVE-2015-6941) CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in debug log
CVE-2015-6941 salt: win_useradd module and salt-cloud display passwords in de...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150912,repor...
: Security
Depends On: 1273068 1273069 1273070 1273071
Blocks: 1273067
  Show dependency treegraph
 
Reported: 2015-10-19 09:56 EDT by Adam Mariš
Modified: 2015-11-20 04:08 EST (History)
4 users (show)

See Also:
Fixed In Version: salt-2015.5.6, salt-2015.8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-20 04:08:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-10-19 09:56:09 EDT
A vulnerability in win_useradd, salt-cloud and Linode driver were found:

* win_useradd returned data including the password of the newly created user
* salt-cloud debug output contained win_password and sudo_password authentication credentials
* Linode driver displayed authentication credentials in debug logs

Upstream patch:

https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710

External reference:

https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html
https://docs.saltstack.com/en/latest/topics/releases/2015.5.6.html
Comment 1 Adam Mariš 2015-10-19 09:59:27 EDT
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1273068]
Affects: epel-all [bug 1273070]
Comment 2 Adam Mariš 2015-10-19 09:59:31 EDT
Created salt-cloud tracking bugs for this issue:

Affects: fedora-all [bug 1273069]
Affects: epel-all [bug 1273071]

Note You need to log in before you can comment on or make changes to this bug.