CVE-2022-22934: SaltStack Improper Verification of Cryptographic Signature
(updated )
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
References
- blog.cloudflare.com/future-proofing-saltstack
- github.com/advisories/GHSA-2q4g-wfm6-5fpm
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-171.yaml
- github.com/saltstack/salt
- github.com/saltstack/salt/releases
- github.com/saltstack/salt/releases,
- nvd.nist.gov/vuln/detail/CVE-2022-22934
- repo.saltproject.io/
- saltproject.io/security_announcements/salt-security-advisory-release/,
- security.gentoo.org/glsa/202310-22
Detect and mitigate CVE-2022-22934 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →