CVE-2022-22934

high

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.

References

https://security.gentoo.org/glsa/202310-22

https://saltproject.io/security_announcements/salt-security-advisory-release/%2C

https://repo.saltproject.io/

https://github.com/saltstack/salt/releases%2C

Details

Source: Mitre, NVD

Published: 2022-03-29

Updated: 2023-12-21

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High