CVE-2022-22934 – salt

Package

Manager: pip
Name: salt
Vulnerable Version: >=0 <3002.8 || =3004 || >=3004 <3004.1 || >=3003 <3003.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00092 pctl0.26936

Details

SaltStack Improper Verification of Cryptographic Signature An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.

Metadata

Created: 2022-03-30T00:00:20Z
Modified: 2024-10-26T22:50:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2q4g-wfm6-5fpm/GHSA-2q4g-wfm6-5fpm.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-2q4g-wfm6-5fpm
Finding: F163
Auto approve: 1