Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycTRnLXdmbTYtNWZwbc02rA
SaltStack Improper Verification of Cryptographic Signature
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
Permalink: https://github.com/advisories/GHSA-2q4g-wfm6-5fpmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycTRnLXdmbTYtNWZwbc02rA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2q4g-wfm6-5fpm, CVE-2022-22934
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-22934
- https://blog.cloudflare.com/future-proofing-saltstack/
- https://github.com/saltstack/salt/releases
- https://github.com/saltstack/salt/releases,
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release/,
- https://security.gentoo.org/glsa/202310-22
- https://github.com/advisories/GHSA-2q4g-wfm6-5fpm
Blast Radius: 23.2
Affected Packages
pypi:salt
Dependent packages: 34Dependent repositories: 428
Downloads: 60,068 last month
Affected Version Ranges: >= 3003, < 3003.4, = 3004, < 3002.8
Fixed in: 3003.4, 3004.1, 3002.8
All affected versions: 0.8.7, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.90, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 2014.1.0, 2014.1.1, 2014.1.2, 2014.1.3, 2014.1.4, 2014.1.5, 2014.1.6, 2014.1.7, 2014.1.8, 2014.1.9, 2014.1.10, 2014.1.11, 2014.1.12, 2014.1.13, 2014.7.0, 2014.7.1, 2014.7.2, 2014.7.3, 2014.7.4, 2014.7.5, 2014.7.6, 2014.7.7, 2015.5.0, 2015.5.1, 2015.5.2, 2015.5.3, 2015.5.4, 2015.5.5, 2015.5.6, 2015.5.7, 2015.5.8, 2015.5.9, 2015.5.10, 2015.5.11, 2015.8.0, 2015.8.1, 2015.8.2, 2015.8.3, 2015.8.4, 2015.8.5, 2015.8.7, 2015.8.8, 2015.8.9, 2015.8.10, 2015.8.11, 2015.8.12, 2015.8.13, 2016.3.0, 2016.3.1, 2016.3.2, 2016.3.3, 2016.3.4, 2016.3.5, 2016.3.6, 2016.3.7, 2016.3.8, 2016.11.0, 2016.11.1, 2016.11.2, 2016.11.3, 2016.11.4, 2016.11.5, 2016.11.6, 2016.11.7, 2016.11.8, 2016.11.9, 2016.11.10, 2017.7.0, 2017.7.1, 2017.7.2, 2017.7.3, 2017.7.4, 2017.7.5, 2017.7.6, 2017.7.7, 2017.7.8, 2018.3.0, 2018.3.1, 2018.3.2, 2018.3.3, 2018.3.4, 2018.3.5, 2019.2.0, 2019.2.1, 2019.2.2, 2019.2.3, 2019.2.4, 2019.2.5, 2019.2.6, 2019.2.7, 2019.2.8
All unaffected versions: