Bug 1113698 - (CVE-2018-15750) VUL-0: CVE-2018-15750: salt: directory traversal vulnerability in salt-api
(CVE-2018-15750)
VUL-0: CVE-2018-15750: salt: directory traversal vulnerability in salt-api
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/218028/
CVSSv3:SUSE:CVE-2018-15750:8.7:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 10:40 UTC by Alexander Bergmann
Modified: 2022-05-02 12:32 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 9 Swamp Workflow Management 2018-11-19 17:14:56 UTC
SUSE-RU-2018:3809-1: An update that has 38 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094705,1094992,1095220,1095942,1095972,1096319,1096494,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699
CVE References: 
Sources used:
SUSE Manager Server 3.1 (src):    release-notes-susemanager-3.1.9-5.41.1, susemanager-docs_en-3.1-10.23.1
SUSE Manager Proxy 3.1 (src):    release-notes-susemanager-proxy-3.1.9-0.15.32.1
Comment 10 Swamp Workflow Management 2018-11-19 20:13:39 UTC
SUSE-SU-2018:3811-1: An update that solves two vulnerabilities and has 33 fixes is now available.

Category: security (moderate)
Bug References: 1034030,1037389,1042184,1080474,1090676,1094524,1094992,1095220,1095942,1095972,1096511,1098970,1099857,1100852,1101033,1104120,1104487,1105045,1105074,1105720,1105724,1105886,1106164,1106875,1107117,1107302,1107850,1107869,1109235,1111249,1111542,1112163,1113557,1113698,1113699
CVE References: CVE-2017-14695,CVE-2017-14696
Sources used:
SUSE Manager Server 3.1 (src):    apache-mybatis-3.2.3-1.3.1, hadoop-0.18.1-1.3.1, icu4j-55.1-1.3.1, lucene-2.4.1-1.3.1, nekohtml-1.9.21-1.3.1, nutch-core-1.0.1-1.3.1, picocontainer-1.3.7-1.3.1, py26-compat-salt-2016.11.10-1.16.1, smdba-1.6.2-0.2.9.1, spacecmd-2.7.8.13-2.26.1, spacewalk-2.7.0.6-2.6.1, spacewalk-backend-2.7.73.15-2.26.1, spacewalk-branding-2.7.2.15-2.25.1, spacewalk-doc-indexes-2.7.0.4-2.6.1, spacewalk-java-2.7.46.17-2.35.1, spacewalk-search-2.7.3.6-2.16.1, spacewalk-utils-2.7.10.9-2.17.1, spacewalk-web-2.7.1.19-2.29.1, subscription-matcher-0.21-4.6.1, susemanager-3.1.16-2.26.1, susemanager-branding-oss-3.1.2-3.3.1, susemanager-schema-3.1.20-2.33.1, susemanager-sls-3.1.19-2.30.1, susemanager-sync-data-3.1.16-2.29.1, tagsoup-1.2.1-1.3.1, tika-core-1.19.1-1.3.1
Comment 11 Swamp Workflow Management 2018-11-19 20:14:56 UTC
SUSE-SU-2018:3813-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1113698,1113699
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    salt-2016.11.10-43.38.1
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    salt-2016.11.10-43.38.1
Comment 12 Swamp Workflow Management 2018-11-20 14:09:14 UTC
SUSE-SU-2018:3815-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1110938,1113698,1113699,1113784,1114197
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    salt-2018.3.0-5.20.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    salt-2018.3.0-5.20.1
Comment 13 Swamp Workflow Management 2018-11-20 14:10:23 UTC
SUSE-SU-2018:3816-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1113698,1113699
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Manager Server 3.2 (src):    py26-compat-salt-2016.11.10-6.15.1
Comment 14 Swamp Workflow Management 2018-11-22 20:10:41 UTC
SUSE-SU-2018:3862-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1110938,1113698,1113699,1113784,1114197
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
SUSE Manager Tools 12 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.2 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.1 (src):    salt-2018.3.0-46.44.1
SUSE Manager Server 3.0 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.2 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.1 (src):    salt-2018.3.0-46.44.1
SUSE Manager Proxy 3.0 (src):    salt-2018.3.0-46.44.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    salt-2018.3.0-46.44.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-2018.3.0-46.44.1
SUSE CaaS Platform 3.0 (src):    salt-2018.3.0-46.44.1
OpenStack Cloud Magnum Orchestration 7 (src):    salt-2018.3.0-46.44.1
Comment 15 Swamp Workflow Management 2018-12-17 17:40:16 UTC
This is an autogenerated message for OBS integration:
This bug (1113698) was mentioned in
https://build.opensuse.org/request/show/658952 15.0 / salt
Comment 16 Swamp Workflow Management 2018-12-18 11:42:56 UTC
This is an autogenerated message for OBS integration:
This bug (1113698) was mentioned in
https://build.opensuse.org/request/show/659069 42.3 / salt
Comment 17 Swamp Workflow Management 2018-12-18 14:09:36 UTC
openSUSE-SU-2018:4174-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1110938,1112874,1113698,1113699,1113784,1114197,1114824
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
openSUSE Leap 15.0 (src):    salt-2018.3.0-lp150.3.17.1
Comment 18 Swamp Workflow Management 2018-12-19 20:11:21 UTC
openSUSE-SU-2018:4197-1: An update that solves two vulnerabilities and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1104491,1107333,1108557,1108834,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114197,1114824
CVE References: CVE-2018-15750,CVE-2018-15751
Sources used:
openSUSE Leap 42.3 (src):    salt-2018.3.0-23.1
Comment 20 Swamp Workflow Management 2019-02-27 17:23:57 UTC
SUSE-OU-2019:13965-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:
Comment 21 Swamp Workflow Management 2019-02-27 17:55:15 UTC
SUSE-OU-2019:13964-1: An update that solves 7 vulnerabilities and has 144 fixes is now available.

Category: optional (low)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101812,1101880,1102013,1102218,1102265,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116837,1117995,1121091,1123044,1123512,1123865,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751
Sources used:
Comment 23 Mihai Dincă 2019-08-07 13:13:35 UTC
Closing.
Comment 28 Swamp Workflow Management 2020-06-23 16:32:46 UTC
SUSE-SU-2020:14402-1: An update that solves 11 vulnerabilities and has 245 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135732,1135881,1137642,1138454,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1159284,1162327,1162504,1163871,1163981,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170104,1170288,1170595,1171687,1171906,1172075,1173072,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2020-07-21 04:30:35 UTC
SUSE-SU-2020:14431-1: An update that solves 11 vulnerabilities and has 251 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1003449,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1013876,1013938,1015882,1017078,1019386,1020831,1022562,1022841,1023535,1024406,1025896,1027044,1027240,1027426,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1044719,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1070372,1071322,1072599,1075950,1076578,1079048,1080290,1081151,1081592,1083294,1085667,1087055,1087278,1087581,1087891,1088070,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1094190,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102265,1102819,1103090,1103530,1103696,1104034,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109023,1109893,1110938,1111542,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1125610,1125744,1127389,1128061,1128554,1129079,1129243,1130077,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1135881,1137642,1138454,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148311,1148714,1150447,1151650,1151947,1152366,1153090,1153277,1153611,1154620,1154940,1155372,1157465,1157479,1158441,1158940,1159118,1159284,1160931,1162327,1162504,1163871,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171687,1171906,1172075,1173072,1174165,769106,769108,776615,849184,849204,849205,879904,887879,889605,892707,902494,908849,926318,932288,945380,948245,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,977264,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,987798,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Jochen Breuer 2020-11-12 09:32:33 UTC
I think this can be closed, right?
Comment 37 Swamp Workflow Management 2021-02-08 14:50:09 UTC
SUSE-SU-2021:0315-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Swamp Workflow Management 2021-02-08 15:25:14 UTC
SUSE-SU-2021:0316-1: An update that solves 14 vulnerabilities and has 218 fixes is now available.

Category: security (moderate)
Bug References: 1002529,1004047,1004260,1004723,1008933,1011304,1011800,1012398,1012999,1017078,1019386,1020831,1022562,1022841,1023535,1025896,1027044,1027240,1027722,1030009,1030073,1032213,1032452,1032931,1035914,1036125,1038855,1039370,1040886,1041993,1042749,1043111,1050003,1051948,1052264,1053376,1053955,1057635,1059291,1059758,1060230,1061407,1062462,1062464,1063419,1064520,1065792,1068446,1068566,1071322,1072599,1075950,1079048,1081592,1083110,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1091371,1092161,1092373,1094055,1095507,1095651,1095942,1096514,1097174,1097413,1098394,1099323,1099460,1099887,1099945,1100142,1100225,1100697,1101780,1101812,1101880,1102013,1102218,1102248,1102265,1102819,1103530,1104154,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893,1110938,1112874,1113698,1113699,1113784,1114029,1114197,1114474,1114824,1116343,1116837,1117995,1121091,1121439,1122663,1122680,1123044,1123512,1123865,1124277,1125015,1128061,1128554,1129079,1130588,1130784,1131114,1132076,1133523,1133647,1134860,1135360,1135507,1135567,1135656,1135732,1137642,1138952,1139761,1140193,1140912,1143301,1146192,1146382,1148714,1150447,1151650,1151947,1152366,1153611,1154620,1157465,1157479,1158441,1158940,1159118,1159284,1159670,1160931,1162327,1162504,1165425,1165572,1167437,1167556,1168340,1169604,1169800,1170042,1170104,1170288,1170595,1171461,1171906,1172075,1172211,1173072,1173909,1173911,1173936,1174165,1175549,1175987,1176024,1176294,1176397,1176480,1177867,1178319,1178361,1178362,1178485,849184,849204,849205,955373,958350,959572,963322,965403,967803,969320,970669,971372,972311,972490,975093,975303,975306,975733,975757,976148,978150,978833,979448,979676,980313,983017,983512,985112,985661,986019,988506,989193,989798,990029,990439,990440,991048,993039,993549,996455,999852
CVE References: CVE-2016-1866,CVE-2016-9639,CVE-2017-12791,CVE-2017-14695,CVE-2017-14696,CVE-2018-15750,CVE-2018-15751,CVE-2019-17361,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Pablo Suárez Hernández 2021-05-05 10:30:32 UTC
Setting back assignee to Security team since I think we're already done here.
Comment 45 Gabriele Sonnu 2022-05-02 12:32:55 UTC
Done.