CVE-2023-20898

CVSS v3.1

7.8

High

Vector

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Salt masters versions prior to 3005.2 or 3006.2

Description The issue is related to Git Providers in Salt masters, where they can read from the wrong environment due to the same cache directory base name. This can lead to garbage data or the wrong data being retrieved, resulting in wrongful data disclosure, wrongful executions, data corruption, and/or crashes. The vulnerability is associated with a lack of protection for service data, which can allow an attacker to disclose protected information.

Recommendations For versions prior to 3005.2, update to version 3005.2 or later to resolve the issue. For versions prior to 3006.2, update to version 3006.2 or later to resolve the issue. As a temporary workaround, consider restricting access to Git Providers to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2023-5558

ALT-PU-2023-5591

ALT-PU-2023-5717

ALT-PU-2023-5935

ALT-PU-2025-1673

BDU:2023-05935

CVE-2023-20898

GHSA-QVH6-3J7X-3HQ7

OPENSUSE-SU-2023_3862-1

OPENSUSE-SU-2023_3863-1

OPENSUSE-SU-2023_3885-1

OPENSUSE-SU-2024:13188-1

PYSEC-2023-169

SUSE-SU-2023:3862-1

SUSE-SU-2023:3863-1

SUSE-SU-2023:3864-1

SUSE-SU-2023:3865-1

SUSE-SU-2023:3866-1

SUSE-SU-2023:3876-1

SUSE-SU-2023:3877-1

SUSE-SU-2023:3884-1

SUSE-SU-2023:3885-1

Affected Products

Alt Linux

Red Os

Salt

Suse

CVE-2023-20898

Weakness Enumeration

Related Identifiers

Affected Products

References · 82