Vulnerability Description
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
CVSS Score
8.8
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saltstack | Salt | >= 3002, < 3002.8 |
References
- https://github.com/saltstack/salt/releases%2CBroken Link
- https://repo.saltproject.io/Product
- https://saltproject.io/security_announcements/salt-security-advisory-release/%2CBroken Link
- https://security.gentoo.org/glsa/202310-22Third Party Advisory
- https://github.com/saltstack/salt/releases%2CBroken Link
- https://repo.saltproject.io/Product
- https://saltproject.io/security_announcements/salt-security-advisory-release/%2CBroken Link
- https://security.gentoo.org/glsa/202310-22Third Party Advisory
FAQ
What is CVE-2022-22934?
CVE-2022-22934 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbit...
How severe is CVE-2022-22934?
CVE-2022-22934 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-22934?
Check the references section above for vendor advisories and patch information. Affected products include: Saltstack Salt.