From the Arch Linux advisory:
- CVE-2017-5192 (arbitrary code execution): The
`LocalClient.cmd_batch()` method client does not accept
`external_auth` credentials and so access to it from salt-api has
been removed for now. This vulnerability allows code execution for
already- authenticated users and is only in effect when running
salt-api as the `root` user.
- CVE-2017-5200 (arbitrary command execution): Salt-api allows
arbitrary command execution on a salt-master via Salt's ssh_client.
Users of Salt-API and salt-ssh could execute a command on the salt
master via a hole when both systems were enabled.