fkie_cve-2024-38825
Vulnerability from fkie_nvd
Published
2025-06-13 07:15
Modified
2025-06-16 12:32
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
References
security@vmware.comhttps://docs.saltproject.io/en/3006/topics/releases/3006.12.html
security@vmware.comhttps://docs.saltproject.io/en/3007/topics/releases/3007.4.html
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The salt.auth.pki module does not properly authenticate callers. The \"password\" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo salt.auth.pki no autentica correctamente a los usuarios que llaman. El campo \"contrase\u00f1a\" contiene un certificado p\u00fablico que el m\u00f3dulo valida con un certificado de CA. Esto no es autenticaci\u00f3n PKI, ya que el usuario que llama no necesita acceder a la clave privada correspondiente para que se acepte el intento de autenticaci\u00f3n."
    }
  ],
  "id": "CVE-2024-38825",
  "lastModified": "2025-06-16T12:32:18.840",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.7,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-13T07:15:20.717",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"
    },
    {
      "source": "security@vmware.com",
      "url": "https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.