Lucene search

GitHub Advisory DatabaseGHSA-QVH6-3J7X-3HQ7

HistorySep 05, 2023 - 12:30 p.m.

Salt can cause Git Providers to get wrong data

2023-09-0512:30:16

GitHub Advisory Database

github.com

salt

git providers

cache directory

salt masters

wrongful data disclosure

executions

corruption

crashes.

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.

Affected configurations

Vulners

Node

saltRange<3006.2

saltRange<3005.2

VendorProductVersionCPE
*salt*cpe:2.3:a:*:salt:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	salt	*	cpe:2.3:a::salt::::::::*

References

github.com/advisories/GHSA-qvh6-3j7x-3hq7

github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2023-169.yaml

lists.fedoraproject.org/archives/list/[email protected]/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOL/

nvd.nist.gov/vuln/detail/CVE-2023-20898

saltproject.io/security-announcements/2023-08-10-advisory/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for GHSA-QVH6-3J7X-3HQ7