MEDIUM 6.7

GHSA-4277-m35q-7c9w

Salt preflight script could be attacker controlled

Details

The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 0 Fixed in: 3005.4

Fix pip install --upgrade 'salt>=3005.4'

PyPI / salt

Introduced in: 3006.0rc1 Fixed in: 3006.4

Fix pip install --upgrade 'salt>=3006.4'

References

https://nvd.nist.gov/vuln/detail/CVE-2023-34049 [ADVISORY]
https://github.com/saltstack/salt/commit/286d55eb5a6e6bf9428405bdf5632b419bdf8444 [WEB]
https://github.com/saltstack/salt/commit/7a14112f2a16ce70e3c3e1862c92e37af5f2c7a4 [WEB]
https://github.com/saltstack/salt [PACKAGE]
https://saltproject.io/security-announcements/2023-10-27-advisory [WEB]