Vulnerabilites related to VMware - SALT
CVE-2024-38822 (GCVE-0-2024-38822)
Vulnerability from cvelistv5
Published
2025-06-13 06:40
Modified
2025-06-16 18:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38822",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T18:49:20.683796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:06:37.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:40:41.885Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-38822 Salt Advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38822",
"datePublished": "2025-06-13T06:40:41.885Z",
"dateReserved": "2024-06-19T22:32:06.583Z",
"dateUpdated": "2025-06-16T18:06:37.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22236 (GCVE-0-2025-22236)
Vulnerability from cvelistv5
Published
2025-06-13 06:53
Modified
2025-06-13 14:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T13:59:59.848349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:00:25.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMinion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (\u0026gt;= 3007.0).\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (\u003e= 3007.0)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:53:04.233Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22236 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22236",
"datePublished": "2025-06-13T06:53:04.233Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-13T14:00:25.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22242 (GCVE-0-2025-22242)
Vulnerability from cvelistv5
Published
2025-06-13 07:08
Modified
2025-06-17 17:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T15:23:55.859324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T17:25:29.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWorker process denial of service through file read operation. .A vulnerability exists in the Master\u0027s \u201cpub_ret\u201d method which is exposed to all minions. The un-sanitized input value \u201cjid\u201d is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Worker process denial of service through file read operation. .A vulnerability exists in the Master\u0027s \u201cpub_ret\u201d method which is exposed to all minions. The un-sanitized input value \u201cjid\u201d is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T07:08:12.518Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22242 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22242",
"datePublished": "2025-06-13T07:08:12.518Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-17T17:25:29.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38823 (GCVE-0-2024-38823)
Vulnerability from cvelistv5
Published
2025-06-13 06:41
Modified
2025-06-13 13:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T13:57:49.807574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T13:59:57.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSalt\u0027s request server is vulnerable to replay attacks when not using a TLS encrypted transport.\u003c/p\u003e"
}
],
"value": "Salt\u0027s request server is vulnerable to replay attacks when not using a TLS encrypted transport."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:41:26.536Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-38823 Salt Advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38823",
"datePublished": "2025-06-13T06:41:26.536Z",
"dateReserved": "2024-06-19T22:32:06.583Z",
"dateUpdated": "2025-06-13T13:59:57.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22238 (GCVE-0-2025-22238)
Vulnerability from cvelistv5
Published
2025-06-13 06:58
Modified
2025-06-13 13:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite 'cache' files outside of the cache directory.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T13:54:45.480351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T13:55:43.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirectory traversal attack in minion file cache creation. The master\u0027s default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite \u0027cache\u0027 files outside of the cache directory.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Directory traversal attack in minion file cache creation. The master\u0027s default cache is vulnerable to a directory traversal attack. Which could be leveraged to write or overwrite \u0027cache\u0027 files outside of the cache directory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:58:19.550Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22238 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22238",
"datePublished": "2025-06-13T06:58:19.550Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-13T13:55:43.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38824 (GCVE-0-2024-38824)
Vulnerability from cvelistv5
Published
2025-06-13 07:10
Modified
2025-06-16 18:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-14T03:56:04.670703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:07:37.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDirectory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T07:10:31.166Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-38824 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38824",
"datePublished": "2025-06-13T07:10:31.166Z",
"dateReserved": "2024-06-19T22:32:06.583Z",
"dateUpdated": "2025-06-16T18:07:37.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22241 (GCVE-0-2025-22241)
Vulnerability from cvelistv5
Published
2025-06-13 07:04
Modified
2025-06-17 17:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T15:24:21.315077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T17:26:12.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFile contents overwrite the VirtKey class is called when \u201con-demand pillar\u201d data is requested and uses un-validated input to create paths to the \u201cpki directory\u201d. The functionality is used to auto-accept Minion authentication keys based on a pre-placed \u201cauthorization file\u201d at a specific location and is present in the default configuration.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "File contents overwrite the VirtKey class is called when \u201con-demand pillar\u201d data is requested and uses un-validated input to create paths to the \u201cpki directory\u201d. The functionality is used to auto-accept Minion authentication keys based on a pre-placed \u201cauthorization file\u201d at a specific location and is present in the default configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T07:04:38.695Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22241 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22241",
"datePublished": "2025-06-13T07:04:38.695Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-17T17:26:12.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22237 (GCVE-0-2025-22237)
Vulnerability from cvelistv5
Published
2025-06-13 06:55
Modified
2025-06-14 03:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:05.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn attacker with access to a minion key can exploit the \u0027on demand\u0027 pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An attacker with access to a minion key can exploit the \u0027on demand\u0027 pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:55:39.704Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22237 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22237",
"datePublished": "2025-06-13T06:55:39.704Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-14T03:56:05.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38825 (GCVE-0-2024-38825)
Vulnerability from cvelistv5
Published
2025-06-13 06:46
Modified
2025-06-13 14:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T14:00:49.726753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:01:02.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe salt.auth.pki module does not properly authenticate callers. The \"password\" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "The salt.auth.pki module does not properly authenticate callers. The \"password\" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T06:46:12.145Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2024-38825 Salt Advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38825",
"datePublished": "2025-06-13T06:46:12.145Z",
"dateReserved": "2024-06-19T22:32:06.583Z",
"dateUpdated": "2025-06-13T14:01:02.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22239 (GCVE-0-2025-22239)
Vulnerability from cvelistv5
Published
2025-06-13 07:00
Modified
2025-06-13 13:53
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T13:50:17.972449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T13:53:14.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eArbitrary event injection on Salt Master. The master\u0027s \"_minion_event\" method can be used by and authorized minion to send arbitrary events onto the master\u0027s event bus.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Arbitrary event injection on Salt Master. The master\u0027s \"_minion_event\" method can be used by and authorized minion to send arbitrary events onto the master\u0027s event bus."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T07:00:53.681Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22239 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22239",
"datePublished": "2025-06-13T07:00:53.681Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-13T13:53:14.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22240 (GCVE-0-2025-22240)
Vulnerability from cvelistv5
Published
2025-06-13 07:03
Modified
2025-06-13 13:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T13:40:39.603922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T13:42:42.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Salt",
"product": "SALT",
"vendor": "VMware",
"versions": [
{
"lessThan": "3006.12",
"status": "affected",
"version": "3006.x",
"versionType": "lts"
},
{
"lessThan": "3007.4",
"status": "affected",
"version": "3007.x",
"versionType": "sts"
}
]
}
],
"datePublic": "2025-06-12T07:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eArbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the \u201ctgt_env\u201d variable. This can be exploited by an attacker to delete any file on the Master\u0027s process has permissions to.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the \u201ctgt_env\u201d variable. This can be exploited by an attacker to delete any file on the Master\u0027s process has permissions to."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T07:03:35.139Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
},
{
"url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22240 salt advisory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22240",
"datePublished": "2025-06-13T07:03:35.139Z",
"dateReserved": "2025-01-02T04:30:06.833Z",
"dateUpdated": "2025-06-13T13:42:42.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}