CVE-2013-4438

Description

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.

How to fix CVE-2013-4438

To remediate CVE-2013-4438, upgrade the affected package to a fixed version below.

• PyPI/salt—upgrade to 0.17.1 or later

Is CVE-2013-4438 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.17.1

References (2)

• WEBdocs.saltstack.com/topics/releases/0.17.1.html
• WEBwww.openwall.com/lists/oss-security/2013/10/18/3