|
| 1 | +CVE-2024-38822 |
| 2 | +Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion. |
| 3 | + |
| 4 | +CVSS 2.7 V:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| 5 | + |
| 6 | +CVE-2024-38823 |
| 7 | +Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport. |
| 8 | + |
| 9 | +CVSS Score 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| 10 | + |
| 11 | +CVE-2024-38824 |
| 12 | +Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. |
| 13 | + |
| 14 | +CVSS Score 9.6 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 15 | + |
| 16 | +CVE-2024-38825 |
| 17 | +The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. |
| 18 | + |
| 19 | +CVSS Score 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| 20 | + |
| 21 | +CVE-2025-22236 |
| 22 | +Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0). |
| 23 | + |
| 24 | +CVSS 8.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L |
| 25 | + |
| 26 | +CVE-2025-22237 |
| 27 | +An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process. |
| 28 | + |
| 29 | +CVSS 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 30 | + |
| 31 | +CVE-2025-22238 |
| 32 | +Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite 'cache' files outside of the cache directory. |
| 33 | + |
| 34 | +CVSS 4.2 AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N |
| 35 | + |
| 36 | +CVE-2025-22239 |
| 37 | +Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus. |
| 38 | + |
| 39 | +CVSS 8.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L |
| 40 | + |
| 41 | +CVE-2025-22240 |
| 42 | +Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to |
| 43 | + |
| 44 | +CVSS 6.3 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |
| 45 | + |
| 46 | +CVE-2025-22241 |
| 47 | +File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration. |
| 48 | + |
| 49 | +CVSS 5.6 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |
| 50 | + |
| 51 | +CVE-2025-22242 |
| 52 | +Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system. |
| 53 | + |
| 54 | +CVSS 5.6 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H |
| 55 | + |
| 56 | +This release also includes sqlite 3.50.1 to address CVE-2025-29087 |
0 commit comments