CVE-2015-8034 Saltstack CVE debrief

Who should care

Salt administrators and operators running versions before 2015.8.3 should care most, especially on multi-user systems, shared hosts, or any environment where local users are not fully trusted. Security teams should also review systems that may have cached state data exposed on disk.

Technical summary

NVD describes the flaw as weak permissions on cache data used by Salt's state.sls function. Because the cached file permissions were too permissive, a local user with filesystem access could read sensitive information. NVD maps the weakness to CWE-200 and lists the affected version range as Salt up to and including 2015.8.2. The CVSS vector reflects a local, low-complexity, low-privilege information disclosure with no integrity or availability impact.

Defensive priority

Low. This is a local information-disclosure issue with no documented impact to integrity or availability, but it still matters on multi-user systems where local accounts are not fully trusted.

Recommended defensive actions

• Upgrade Salt to 2015.8.3 or later.
• Review filesystem permissions on Salt cache data and confirm they restrict access to intended system users only.
• Check shared or multi-user hosts for local accounts that could read cached state data.
• If upgrading is delayed, reduce exposure by limiting local access to affected systems and reviewing any automation that stores sensitive data in Salt caches.

Evidence notes

The description and affected range come from the NVD record for CVE-2015-8034, which states that Salt before 2015.8.3 used weak permissions on cache data and that local users could obtain sensitive information by reading the file. NVD also lists the vulnerable CPE range through 2015.8.2, assigns CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, and maps the weakness to CWE-200. The vendor release notes referenced by MITRE point to Salt 2015.8.3 as the fix milestone.

Official resources