cbcvebase.

Saltstack Salt vulnerabilities

69 known vulnerabilities affecting saltstack/salt.

Total CVEs
69
CISA KEV
3
actively exploited
Public exploits
6
Exploited in wild
4
Severity breakdown
CRITICAL21HIGH25MEDIUM21LOW2

Vulnerabilities

Page 2 of 4
CVE-2022-22934P3HIGHCVSS 8.8≥ 3002, < 3002.8≥ 3003, < 3003.4+1 more2022-03-29
CVE-2022-22934 [HIGH] CVE-2022-22934: An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
ghsanvdosv
CVE-2022-22936P3HIGHCVSS 8.8≥ 3002, < 3002.8≥ 3003, < 3003.4+1 more2022-03-29
CVE-2022-22936 [HIGH] CWE-294 CVE-2022-22936: An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes a An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion un
ghsanvdosv
CVE-2013-6617P3CRITICALCVSS 10.0v0.11.0v0.12.0+9 more2013-11-05
CVE-2013-6617 [CRITICAL] CWE-264 CVE-2013-6617: The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privilege The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.
ghsanvdosv
CVE-2020-28243P3HIGHCVSS 7.8fixed in 2015.8.10≥ 2015.8.11, < 2015.8.13+13 more2021-02-27
CVE-2020-28243 [HIGH] CWE-77 CVE-2020-28243: An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
ghsanvdosv
CVE-2021-31607P3HIGHCVSS 7.8≥ 2016.9, ≤ 3002.62021-04-23
CVE-2021-31607 [HIGH] CWE-78 CVE-2021-31607: In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper mod In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
ghsanvdosv
CVE-2021-25315P3HIGHCVSS 7.8fixed in 3002.22021-03-03
CVE-2021-25315 [HIGH] CWE-287 CVE-2021-25315: CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSU CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1
ghsanvdosv
CVE-2021-33226P3CRITICALCVSS 9.8≤ 30032023-02-17
CVE-2021-33226 [CRITICAL] CWE-120 CVE-2021-33226: Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary co Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file. NOTE: this is disputed by third parties because an attacker cannot influence the eval input
nvdosv
CVE-2024-38824P3HIGHCVSS 7.5≥ 3006.0, < 3006.12≥ 3007.0, < 3007.42025-06-13
CVE-2024-38824 [HIGH] CWE-22 CVE-2024-38824: Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the ma Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
ghsanvdosv
CVE-2013-4438P3HIGHCVSS 7.5≤ 0.17.0v0.6.0+29 more2013-11-05
CVE-2013-4438 [HIGH] CWE-94 CVE-2013-4438: Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspec Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.
nvdosv
CVE-2016-9639P3CRITICALCVSS 9.1≤ 2015.8.102017-02-07
CVE-2016-9639 [CRITICAL] CWE-284 CVE-2016-9639: Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related t Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching.
ghsanvdosv
CVE-2024-22232P3HIGH≥ 0, < 3005.5≥ 3006.0, < 3006.62024-06-27
CVE-2024-22232 [HIGH] CWE-22 Path traversal in saltstack Path traversal in saltstack A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file from a Salt master’s filesystem.
ghsaosv
CVE-2016-1866P3HIGHCVSS 8.1v2015.8.0v2015.8.1+2 more2016-04-12
CVE-2016-1866 [HIGH] CWE-284 CVE-2016-1866: Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows ma Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream.
ghsanvdosv
CVE-2020-35662P3HIGHCVSS 7.4fixed in 2015.8.10≥ 2015.8.11, < 2015.8.13+13 more2021-02-27
CVE-2020-35662 [HIGH] CWE-295 CVE-2020-35662: In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL cert In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
ghsanvdosv
CVE-2013-2228P3HIGH≥ 0, < 0.15.12022-05-05
CVE-2013-2228 [HIGH] CWE-307 SaltStack RSA Key Generation allows remote users to decrypt communications SaltStack RSA Key Generation allows remote users to decrypt communications SaltStack RSA Key Generation allows remote users to decrypt communications
ghsaosv
CVE-2017-7893P3CRITICALCVSS 9.8fixed in 2016.3.62018-04-23
CVE-2017-7893 [CRITICAL] CVE-2017-7893: In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master. In SaltStack Salt before 2016.3.6, compromised salt-minions can impersonate the salt-master.
ghsanvdosv
CVE-2013-4436P3CRITICALCVSS 9.3v0.17.02013-11-05
CVE-2013-4436 [CRITICAL] CWE-20 CVE-2013-4436: The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.
ghsanvdosv
CVE-2025-62348P3HIGH≥ 0, < 3006.172026-01-30
CVE-2025-62348 [HIGH] CWE-94 Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.
ghsaosv
CVE-2017-14696P3HIGHCVSS 7.5≤ 2016.3.7v2016.11+10 more2017-10-24
CVE-2017-14696 [HIGH] CWE-20 CVE-2017-14696: SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remo SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request.
ghsanvdosv
CVE-2023-20898P3HIGHCVSS 7.8fixed in 3005.2≥ 3006.0, < 3006.2+1 more2023-09-05
CVE-2023-20898 [HIGH] CVE-2023-20898: Git Providers can read from the wrong environment because they get the same cache directory base nam Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
ghsanvdosv
CVE-2025-62349P3HIGH≥ 3006.12, < 3006.17≥ 3007.4, < 3007.92026-01-30
CVE-2025-62349 [HIGH] CWE-287 Salt Authentication Protocol Version Downgrade Allows Minion Impersonation Salt Authentication Protocol Version Downgrade Allows Minion Impersonation Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.
ghsaosv
Saltstack Salt vulnerabilities | cvebase