Several vulnerabilities were discovered in salt-master, a powerful remote execution manager, which could result in retrieve of user tokens from the salt-master master, execution of arbitrary commands on salt-master minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-master-api hosts.