Synced 17 Jun 2026 22:27 UTC Account
← All products

CVE-2013-4436

HIGH severity · CVSS 9.3 · Improper input validation
9.3CVSS HIGH

Summary

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.

Impact & exploitability

Attack vectorNetwork
Attack complexity
Privileges required
User interaction
Confidentiality impact
Integrity impact
Availability impact
Exploit probability (EPSS)2%

AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected products we track (1)

Salt

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: http://docs.saltstack.com/topics/releases/0.17.1.html ↗

Additional information