PT-2022-15742 · Saltstack+2 · Saltstack Salt+2

Published

2022-03-29

·

Updated

2023-12-21

·

CVE-2022-22934

CVSS v3.1

8.8

High

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SaltStack Salt versions prior to 3002.8 SaltStack Salt versions prior to 3003.4 SaltStack Salt versions prior to 3004.1
Description An issue was discovered in SaltStack Salt where Salt Masters do not sign pillar data with the minion’s public key. This can result in attackers substituting arbitrary pillar data.
Recommendations For versions prior to 3002.8, update to version 3002.8 or later. For versions prior to 3003.4, update to version 3003.4 or later. For versions prior to 3004.1, update to version 3004.1 or later.

Fix

Improper Verification of Cryptographic Signature

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2022-3177
ALT-PU-2022-3214
ALT-PU-2022-3218
CVE-2022-22934
GHSA-2Q4G-WFM6-5FPM
OPENSUSE-SU-2022:1059-1
OPENSUSE-SU-2022_1059-1
OPENSUSE-SU-2024:11970-1
PYSEC-2022-171
SUSE-FU-2022:2042-1
SUSE-FU-2022:2135-1
SUSE-RU-2022:1384-1
SUSE-RU-2022:1385-1
SUSE-RU-2022:1389-1
SUSE-RU-2022:1391-1
SUSE-RU-2022:1392-1
SUSE-SU-2022:1049-1
SUSE-SU-2022:1050-1
SUSE-SU-2022:1051-1
SUSE-SU-2022:1057-1
SUSE-SU-2022:1058-1
SUSE-SU-2022:1059-1
SUSE-SU-2022:1060-1
SUSE-SU-2022:1514-1
SUSE-SU-2022:1531-1
SUSE-SU-2022:1536-1
SUSE-SU-2022:1545-1
SUSE-SU-2022_1051-1
SUSE-SU-2022_1057-1
SUSE-SU-2022_1058-1
SUSE-SU-2022_1059-1
SUSE-SU-2022_1060-1

Affected Products

Alt Linux
Saltstack Salt
Suse