What is CVE-2023-20898?

CVE-2023-20898 is a vulnerability in Salt masters prior to version 3005.2 or 3006.2 that allows Git Providers to read from the wrong environment, potentially leading to data disclosure and other issues.

How severe is CVE-2023-20898?

CVE-2023-20898 has a severity rating of 7.8 (high).

Which software versions are affected by CVE-2023-20898?

Salt masters prior to version 3005.2 or 3006.2 are affected by CVE-2023-20898.

How can the vulnerability in CVE-2023-20898 be fixed?

To fix the vulnerability in CVE-2023-20898, upgrade Salt masters to version 3005.2 or 3006.2.

Where can I find more information about CVE-2023-20898?

You can find more information about CVE-2023-20898 in the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20898), [SaltStack Security Advisory](https://saltproject.io/security-announcements/2023-08-10-advisory/), [GitHub Advisory Database](https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2023-169.yaml).

Vulnerability/
CVE-2023-20898

high

7.8

5/9/2023

25/10/2024

CVE-2023-20898

First published: Tue Sep 05 2023(Updated: )

Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.

Credit: security@vmware.com security@vmware.com security@vmware.com

Affected Software	Affected Version	How to fix
SaltStack Salt	<3005.2
SaltStack Salt	>=3006.0<3006.2
pip/salt	>=3006.0rc1<3006.2	3006.2
pip/salt	<3005.2	3005.2
SaltStack Salt	<3005.2<3006.2	3005.2 3006.2
	<3005.2
	>=3006.0<3006.2

Remedy

How to Mitigate:Upgrade masters to 3005.2 or 3006.2.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

saltproject-2023-08-10-advisory

Frequently Asked Questions

What is CVE-2023-20898?
CVE-2023-20898 is a vulnerability in Salt masters prior to version 3005.2 or 3006.2 that allows Git Providers to read from the wrong environment, potentially leading to data disclosure and other issues.
How severe is CVE-2023-20898?
CVE-2023-20898 has a severity rating of 7.8 (high).
Which software versions are affected by CVE-2023-20898?
Salt masters prior to version 3005.2 or 3006.2 are affected by CVE-2023-20898.
How can the vulnerability in CVE-2023-20898 be fixed?
To fix the vulnerability in CVE-2023-20898, upgrade Salt masters to version 3005.2 or 3006.2.
Where can I find more information about CVE-2023-20898?
You can find more information about CVE-2023-20898 in the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20898), [SaltStack Security Advisory](https://saltproject.io/security-announcements/2023-08-10-advisory/), [GitHub Advisory Database](https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2023-169.yaml).

collector/nvd-api
collector/nvd-index
agent/type
agent/severity
agent/author
agent/description
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-qvh6-3j7x-3hq7
alias/CVE-2023-20898
agent/software-canonical-lookup
agent/references
agent/last-modified-date
agent/softwarecombine
agent/event
collector/nvd-cve
source/NVD
collector/saltproject-advisory
source/Salt Project
agent/remedy
collector/github-advisory
agent/tags
agent/trending
vendor/saltstack
canonical/saltstack salt
version/saltstack salt/3006.0
package-manager/pip