#VU82800 Cryptographic issues in Salt - CVE-2022-22934


Vulnerability identifier: #VU82800

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-22934

CWE-ID: CWE-310

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Salt
Web applications / Remote management & hosting panels

Vendor: SaltStack

Description

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to Salt Masters do not sign pillar data with the minion’s public key. A remote attacker can manipulate arbitrary pillar data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Salt: 3002 - 3002.7, 3003 - 3003.3, 3004

External links
https://saltproject.io/security_announcements/salt-security-advisory-release/
https://security.gentoo.org/glsa/202310-22

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Salt
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Salt Bundle
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools