Unauthenticated Arbitrary Pillar Data Substitution in SaltStack Salt

Unauthenticated Arbitrary Pillar Data Substitution in SaltStack Salt

CVE-2022-22934 · HIGH Severity

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.

Learn more about our Web Application Penetration Testing UK.