MEDIUM 6.4

GHSA-4j59-vv55-q6h3

Salt's salt.auth.pki module does not properly authenticate callers

Details

The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 3006.0rc1 Fixed in: 3006.12

Fix pip install --upgrade 'salt>=3006.12'

PyPI / salt

Introduced in: 3007.0rc1 Fixed in: 3007.4

Fix pip install --upgrade 'salt>=3007.4'

References

https://nvd.nist.gov/vuln/detail/CVE-2024-38825 [ADVISORY]
https://github.com/saltstack/salt/commit/5ff18fd0ececdfd083ddce693c3ccef30e44f155 [WEB]
https://github.com/saltstack/salt/commit/d7cb64e44db5f82fd615373f5dca2eb1fb29bbab [WEB]
https://docs.saltproject.io/en/3006/topics/releases/3006.12.html [WEB]
https://docs.saltproject.io/en/3007/topics/releases/3007.4.html [WEB]
https://github.com/saltstack/salt [PACKAGE]