What is GHSA-xxvj-8g5m-4qgw?

GHSA-xxvj-8g5m-4qgw is a security advisory published by GitHub Security Advisories with Critical severity. SaltStack Salt Directory traversal vulnerability in minion id validation

Which CVE IDs does GHSA-xxvj-8g5m-4qgw cover?

GHSA-xxvj-8g5m-4qgw covers the following CVE IDs: CVE-2017-12791. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-xxvj-8g5m-4qgw?

GHSA-xxvj-8g5m-4qgw has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

Which products are affected by GHSA-xxvj-8g5m-4qgw?

GHSA-xxvj-8g5m-4qgw affects 2 products, including: pip/salt:\u003c 2016.11.7; pip/salt:\u003e= 2017.7.0, \u003c 2017.7.1.

GHSA-xxvj-8g5m-4qgwCriticalCVSS 9.8

SaltStack Salt Directory traversal vulnerability in minion id validation

Vendor

GitHub Security Advisories

Published

May 17, 2022

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2017-12791 →

📋 Description

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID.

🎯 Affected products2

pip/salt:< 2016.11.7
pip/salt:>= 2017.7.0, < 2017.7.1

🔗 References (9)

https://nvd.nist.gov/vuln/detail/CVE-2017-12791
https://github.com/saltstack/salt/pull/42944
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872399
https://bugzilla.redhat.com/show_bug.cgi?id=1482006
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html
https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html
https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-35.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2017-151.yaml
https://github.com/advisories/GHSA-xxvj-8g5m-4qgw