124 matches found
SUSE CVE-2025-22237
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...
Improper Certificate Validation
Overview salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more. Affected versions of this package are vulnerable t...
Arbitrary Command Injection
Overview salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more. Affected versions of this package are vulnerable t...
CVE-2025-22241
File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location a...
CVE-2025-22237
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...
UBUNTU-CVE-2025-22241
File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location a...
UBUNTU-CVE-2025-22237
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process...
Malicious code in @now-par-components/sn-par-pillar (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-3029 Malicious code in @now-par-components/sn-par-pillar (npm)
--- -= Per source details. Do not edit below this line.=-...
SUSE CVE-2022-22934
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion's public key, which can result in attackers substituting arbitrary pillar data...
SUSE-SU-2024:0508-1 Security update for salt
This update for salt fixes the following issues: Security issues fixed: - CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master bsc1219430 - CVE-2024-22232: Prevent directory traversal attacks in the master's servefile method bsc1219431 Bugs fixed: - Ensur...
SUSE-SU-2024:0507-1 Security update for salt
This update for salt fixes the following issues: Security issues fixed: - CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master bsc1219430 - CVE-2024-22232: Prevent directory traversal attacks in the master's servefile method bsc1219431 Bugs fixed: - Ensur...
GHSA-4QHP-652W-C22X Unsecured endpoints in the jupyter-lsp server extension
Impact Installations of jupyter-lsp running in environments without configured file system access control on the operating system level, and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root...
Malicious code in pillar-lifi-zap (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f6752cdfc26aa682f3cbce0cfb7c709c97f885cbfae33367ffa76e599a041393 The OpenSSF Package Analysis project identified 'pillar-lifi-zap' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...
MAL-2023-8620 Malicious code in pillar-lifi-zap (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f6752cdfc26aa682f3cbce0cfb7c709c97f885cbfae33367ffa76e599a041393 The OpenSSF Package Analysis project identified 'pillar-lifi-zap' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...
Duplicate Advisory: EVE: SSH as Root Unlockable Without Triggering Measured Boot
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-phcg-h58r-gmcq. This link is maintained to preserve external references. Original Description On boot, the Pillar eve container checks for the existence and content of “/config/authorizedkeys”. If the file is...
GHSA-F6WP-8J9R-FRRG Duplicate Advisory: EVE: SSH as Root Unlockable Without Triggering Measured Boot
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-phcg-h58r-gmcq. This link is maintained to preserve external references. Original Description On boot, the Pillar eve container checks for the existence and content of “/config/authorizedkeys”. If the file is...
CVE-2023-43633
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions...
CVE-2023-43631
On boot, the Pillar eve container checks for the existence and content of “/config/authorizedkeys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could...
Design/Logic Flaw
On boot, the Pillar eve container checks for the existence and content of “/config/authorizedkeys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could...