CVE-2022-22934
First published: Tue Mar 29 2022(Updated: )
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
Credit: security@vmware.com security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/salt | >=3003<3003.4 | 3003.4 |
| pip/salt | =3004 | 3004.1 |
| pip/salt | <3002.8 | 3002.8 |
| SaltStack Salt | >=3002<3002.8 | |
| SaltStack Salt | >=3003<3003.4 | |
| SaltStack Salt | >=3004<3004.1 | |
| SaltStack Salt | <3004.1<3003.4<3002.8 | 3004.1 3003.4 3002.8 |
Remedy
How to Mitigate: Upgrade to 3002.8, 3003.4, or 3004.1 NOTE: When upgrading your Salt infrastructure, first upgrade your Salt master packages before upgrading your Salt minion packages. Upgrading the minion packages first could result in loss of functionality.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/saltstack/salt/releases,
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release/,
- https://github.com/saltstack/salt/releases%2C
- https://saltproject.io/security_announcements/salt-security-advisory-release/%2C
- https://security.gentoo.org/glsa/202310-22
- https://saltproject.io/security-announcements/2022-03-28-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22934
- https://github.com/saltstack/salt/releases
- https://blog.cloudflare.com/future-proofing-saltstack
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-171.yaml
- https://repo.saltproject.io
- https://github.com/advisories/GHSA-2q4g-wfm6-5fpm (Advisory)
Frequently Asked Questions
What is CVE-2022-22934?
CVE-2022-22934 is a vulnerability discovered in SaltStack Salt in versions before 3002.8, 3003.4, and 3004.1.
What is the severity of CVE-2022-22934?
The severity of CVE-2022-22934 is classified as high with a CVSS score of 8.8.
How does CVE-2022-22934 affect SaltStack Salt?
CVE-2022-22934 affects Salt Masters in versions before 3002.8, 3003.4, and 3004.1 by not signing pillar data with the minion's public key, allowing attackers to substitute arbitrary pillar data.
What is the remedy for CVE-2022-22934?
To remediate CVE-2022-22934, upgrade SaltStack Salt to version 3003.4 or later.
Where can I find more information about CVE-2022-22934?
For more information about CVE-2022-22934, you can refer to the following sources: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-22934), [Cloudflare Blog](https://blog.cloudflare.com/future-proofing-saltstack/), [SaltStack Salt Releases](https://github.com/saltstack/salt/releases).
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/saltproject-advisory
- source/Salt Project
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2q4g-wfm6-5fpm
- alias/CVE-2022-22934
- agent/last-modified-date
- collector/github-advisory
- agent/references
- agent/tags
- agent/trending
- vendor/saltstack
- canonical/saltstack salt
- version/saltstack salt/3002
- version/saltstack salt/3003
- version/saltstack salt/3004
- package-manager/pip