CVE-2025-22240
published 2025-06-13CVE-2025-22240: Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from…
medium6.3CVSS 3.1
AVLACHPRHUIRSUCHIHAH
Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | >= 3006.0rc1 < 3006.12 | 3006.12 |
| saltstack | salt | >= 3007.0rc1 < 3007.4 | 3007.4 |
| vmware | salt | >= 3006.x < 3006.12 | 3006.12 |
| vmware | salt | >= 3007.x < 3007.4 | 3007.4 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
osv6.3MEDIUM