cbcvebase.

Saltstack Salt vulnerabilities

69 known vulnerabilities affecting saltstack/salt.

Total CVEs
69
CISA KEV
3
actively exploited
Public exploits
6
Exploited in wild
4
Severity breakdown
CRITICAL21HIGH25MEDIUM21LOW2

Vulnerabilities

Page 3 of 4
CVE-2025-22236P3HIGH≥ 3007.0, < 3007.4≥ 3006.0, < 3006.122025-06-13
CVE-2025-22236 [HIGH] CWE-287 Salt has minion event bus authorization bypass vulnerability Salt has minion event bus authorization bypass vulnerability Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).
ghsaosv
CVE-2015-6941P3CRITICAL≥ 2015.5, < 2015.5.6≥ 2015.8, < 2015.8.12022-05-17
CVE-2015-6941 [CRITICAL] CWE-200 salt password information leaked in debug logs salt password information leaked in debug logs win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
ghsaosv
CVE-2017-8109P3HIGHCVSS 7.8v2016.11v2016.11.0+3 more2017-04-25
CVE-2017-8109 [HIGH] CWE-200 CVE-2017-8109: The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from t The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).
ghsanvdosv
CVE-2024-38825P3MEDIUM≥ 3006.0rc1, < 3006.12≥ 3007.0rc1, < 3007.42025-06-13
CVE-2024-38825 [MEDIUM] CWE-287 Salt's salt.auth.pki module does not properly authenticate callers Salt's salt.auth.pki module does not properly authenticate callers The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
ghsaosv
CVE-2025-22239P3HIGH≥ 3006.0rc1, < 3006.12≥ 3007.0rc1, < 3007.42025-06-13
CVE-2025-22239 [HIGH] CWE-285 Salt vulnerable to arbitrary event injection Salt vulnerable to arbitrary event injection Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.
ghsaosv
CVE-2020-28972P4MEDIUMCVSS 5.9fixed in 2015.8.10≥ 2015.8.11, < 2015.8.13+13 more2021-02-27
CVE-2020-28972 [MEDIUM] CWE-295 CVE-2020-28972: In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
ghsanvdosv
CVE-2018-15750P4MEDIUMCVSS 5.3fixed in 2017.7.8≥ 2018.3.0, < 2018.3.32018-10-24
CVE-2018-15750 [MEDIUM] CWE-22 CVE-2018-15750: Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
ghsanvdosv
CVE-2013-4435P4MEDIUMCVSS 6.0v0.15.0v0.15.1+5 more2013-11-05
CVE-2013-4435 [MEDIUM] CWE-287 CVE-2013-4435: Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.
ghsanvdosv
CVE-2025-22237P3MEDIUM≥ 3006.0rc1, < 3006.12≥ 3007.0rc1, < 3007.42025-06-13
CVE-2025-22237 [MEDIUM] CWE-77 Salt's on demand pillar functionality vulnerable to arbitrary command injections Salt's on demand pillar functionality vulnerable to arbitrary command injections An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.
ghsaosv
CVE-2013-4437P4CRITICALCVSS 10.0v0.17.02013-11-05
CVE-2013-4437 [CRITICAL] CVE-2013-4437: Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vect Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."
ghsanvdosv
CVE-2015-4017P4HIGHCVSS 7.5v2014.7.52017-08-25
CVE-2015-4017 [HIGH] CWE-295 CVE-2015-4017: Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splun Salt before 2014.7.6 does not verify certificates when connecting via the aliyun, proxmox, and splunk modules.
ghsanvdosv
CVE-2016-3176P4MEDIUMCVSS 5.6≤ 2015.5.9v2015.8.0+6 more2017-01-31
CVE-2016-3176 [MEDIUM] CWE-287 CVE-2016-3176: Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, all Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.
ghsanvdosv
CVE-2024-22231P4MEDIUM≥ 0, < 3005.5≥ 3006.0, < 3006.62024-06-27
CVE-2024-22231 [MEDIUM] CWE-22 Directory creation by malicious user in saltstack Directory creation by malicious user in saltstack Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master.
ghsaosv
CVE-2023-34049P4MEDIUM≥ 0, < 3005.4≥ 3006.0rc1, < 3006.42024-11-14
CVE-2023-34049 [MEDIUM] CWE-340 Salt preflight script could be attacker controlled Salt preflight script could be attacker controlled The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy
ghsaosv
CVE-2025-22240P4MEDIUM≥ 3007.0rc1, < 3007.4≥ 3006.0rc1, < 3006.122025-06-13
CVE-2025-22240 [MEDIUM] CWE-22 Salt allows arbitrary directory creation or file deletion Salt allows arbitrary directory creation or file deletion Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.
ghsaosv
CVE-2021-22004P4MEDIUMCVSS 6.4fixed in 3000.32021-09-08
CVE-2021-22004 [MEDIUM] CWE-362 CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and u An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
ghsanvdosv
CVE-2013-4439P4MEDIUMCVSS 4.9v0.15.0v0.15.1+5 more2013-11-05
CVE-2013-4439 [MEDIUM] CWE-264 CVE-2013-4439: Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.
ghsanvdosv
CVE-2015-6918P4MEDIUM≥ 0, < 2015.5.52022-05-17
CVE-2015-6918 [MEDIUM] CWE-200 salt leaks git usernames and passwords to the log salt leaks git usernames and passwords to the log salt before 2015.5.5 leaks git usernames and passwords to the log.
ghsaosv
CVE-2023-20897P4MEDIUMCVSS 5.3fixed in 3005.2≥ 3006.0, < 3006.2+1 more2023-09-05
CVE-2023-20897 [MEDIUM] CWE-404 CVE-2023-20897: Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad p Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.
ghsanvdosv
CVE-2014-3563P4HIGHCVSS 7.2≤ 2014.1.92014-08-22
CVE-2014-3563 [HIGH] CWE-59 CVE-2014-3563: Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to h Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.
ghsanvdosv
Saltstack Salt vulnerabilities | cvebase