SaltStack Improper Verification of Cryptographic Signature

GHSA-2q4g-wfm6-5fpm · CVE-2022-22934 · PYSEC-2022-171

Published Mar 30, 2022 · Modified Oct 26, 2024

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-22934
WEB https://blog.cloudflare.com/future-proofing-saltstack
WEB https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-171.yaml
PACKAGE https://github.com/saltstack/salt
WEB https://github.com/saltstack/salt/releases
WEB https://github.com/saltstack/salt/releases,
WEB https://repo.saltproject.io
WEB https://saltproject.io/security_announcements/salt-security-advisory-release/,
WEB https://security.gentoo.org/glsa/202310-22

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes