saltstack

Top products

The 15 most recently published vulnerabilities affecting saltstack.

• CVE-2024-38824CVE-2024-38824 salt advisory9.6Jun 13, 2025
• CVE-2023-20898Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different envi...4.2Sep 5, 2023
• CVE-2023-20897Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresp...5.3Sep 5, 2023
• CVE-2021-33226Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file. NOTE: this is disputed by third par...9.8Feb 17, 2023
• CVE-2022-22967An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked stil...8.8Jun 22, 2022
• CVE-2022-22941An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets ...8.8Mar 29, 2022
• CVE-2022-22936An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replayi...8.8Mar 29, 2022
• CVE-2022-22935An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by imperso...3.7Mar 29, 2022
• CVE-2022-22934An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting ...8.8Mar 29, 2022
• CVE-2021-22004An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. Thi...6.4Sep 8, 2021
• CVE-2021-21996An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.7.5Sep 8, 2021
• CVE-2021-31607In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is cr...7.8Apr 23, 2021
• CVE-2021-25315salt-api unauthenticated remote code execution9.8Mar 3, 2021
• CVE-2021-3144In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)9.1Feb 27, 2021
• CVE-2021-3148An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of sin...9.8Feb 27, 2021