Lucene search

GitHub Advisory DatabaseGHSA-QVH6-3J7X-3HQ7

HistorySep 05, 2023 - 12:30 p.m.

Salt can cause Git Providers to get wrong data

2023-09-0512:30:16

GitHub Advisory Database

github.com

salt

git providers

cache directory

salt masters

wrongful data disclosure

executions

corruption

crashes.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.

Affected configurations

Vulners

Node

saltstacksaltRange<3006.2

saltstacksaltRange<3005.2

CPENameOperatorVersion
saltlt3006.2
saltlt3005.2

CPE	Name	Operator	Version
	salt	lt	3006.2
	salt	lt	3005.2

References

github.com/advisories/GHSA-qvh6-3j7x-3hq7

github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2023-169.yaml

lists.fedoraproject.org/archives/list/[email protected]/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOL/

nvd.nist.gov/vuln/detail/CVE-2023-20898

saltproject.io/security-announcements/2023-08-10-advisory/

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for GHSA-QVH6-3J7X-3HQ7