Ubuntu Security Notice 4459-1 - It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute arbitrary code or crash the server. It was discovered that Salt is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. Various other issues were also addressed.
554a555f7c9f85d9a4dada2c6804fc228f4388887cd01c661baad5b75fd51e4d
Debian Linux Security Advisory 4676-1 - Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.
bc8f6fb80beef063b1481154a0f467f4fb6d9239d5d229f48d3dffa80f9fa57e