{"id":"CVE-2016-3176","details":"Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.","aliases":["GHSA-v2rp-9cpj-pfw2","PYSEC-2017-33"],"modified":"2026-04-10T03:49:24.773392Z","published":"2017-01-31T19:59:00.183Z","related":["SUSE-SU-2016:0970-1","SUSE-SU-2016:0972-1","SUSE-SU-2016:1343-1"],"references":[{"type":"ADVISORY","url":"https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html"},{"type":"ADVISORY","url":"https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saltstack/salt","events":[{"introduced":"0"},{"last_affected":"92889db638dc8f5079641dc86d85ce0cb2a7b984"},{"introduced":"0"},{"last_affected":"34324abe562f6326618e290611a1737714118749"},{"introduced":"0"},{"last_affected":"87d86e4b3eaad075876f516eb8bb693d9a88d1c9"},{"introduced":"0"},{"last_affected":"af297bb0aefcc4ffa5b085166835ca23d0b7c457"},{"introduced":"0"},{"last_affected":"345206b68e97465c18450227e21adb888dd87358"},{"introduced":"0"},{"last_affected":"1c6c394d0ed51db613938dbfa4db6002eeb87a87"},{"introduced":"0"},{"last_affected":"c7db4350d53d399349e740cd403f2fdd1fcf571f"},{"introduced":"0"},{"last_affected":"8d84c636cf241237ca5e033beea6e3179e4de7d5"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2015.5.9"},{"introduced":"0"},{"last_affected":"2015.8.0"},{"introduced":"0"},{"last_affected":"2015.8.1"},{"introduced":"0"},{"last_affected":"2015.8.2"},{"introduced":"0"},{"last_affected":"2015.8.3"},{"introduced":"0"},{"last_affected":"2015.8.4"},{"introduced":"0"},{"last_affected":"2015.8.5"},{"introduced":"0"},{"last_affected":"2015.8.7"}]}}],"versions":["v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.10.4","v0.10.5","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16","v0.17","v0.6.0","v0.7.0","v0.8.0","v0.8.7","v0.8.9","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.9","v2014.1","v2014.7","v2015.2","v2015.2.0rc1","v2015.2.0rc2","v2015.5","v2015.5.0","v2015.5.1","v2015.5.2","v2015.5.3","v2015.5.4","v2015.5.5","v2015.5.6","v2015.5.7","v2015.5.8","v2015.5.9","v2015.8","v2015.8.0","v2015.8.0rc1","v2015.8.0rc2","v2015.8.0rc3","v2015.8.0rc4","v2015.8.0rc5","v2015.8.1","v2015.8.2","v2015.8.3","v2015.8.4","v2015.8.5","v2015.8.6","v2015.8.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3176.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}