CVE-2024-38825

CWE-287Improper Authentication5 documents4 sources
Severity
6.4MEDIUM
EPSS
0.1%
top 68.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Salt
Timeline
PublishedJun 13

Description

The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

PyPIsalt3006.0rc13006.12+1
CVEListV5vmware/salt3006.x3006.12+1

🔴Vulnerability Details

4
OSV
Salt's salt.auth.pki module does not properly authenticate callers2025-06-13
CVEList
CVE-2024-38825 Salt Advisory2025-06-13
GHSA
Salt's salt.auth.pki module does not properly authenticate callers2025-06-13
OSV
CVE-2024-38825: The salt2025-06-13
CVE-2024-38825 (MEDIUM CVSS 6.4) | The salt.auth.pki module does not p | cvebase.io