CVE-2016-3176: Salt Insecure configuration of PAM external authentication service

May 17, 2022 (updated October 21, 2024)

Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

References

docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
docs.saltstack.com/en/latest/topics/releases/2015.8.8.html
github.com/advisories/GHSA-v2rp-9cpj-pfw2
github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-33.yaml
github.com/saltstack/salt
nvd.nist.gov/vuln/detail/CVE-2016-3176

Code Behaviors & Features

Detect and mitigate CVE-2016-3176 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →