Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
salt 3001.2 | Vulnerabilities | Sonatype Guide
pypi
salt
3001.2
salt 3001.2
Published
Nov 3, 2020
•
Policy
compliance
pypi Registry
Developer Trust Score
N/A
Recommended Version:
x.y.z
Latest version with 0 known vulnerabilities that meets your policy.
Compare Versions
Overview
Overview
Versions
257
Versions
257
Vulnerabilities
44
Vulnerabilities
44
Dependencies
0
Dependencies
0
Reset filters
Severity
Critical
(0)
High
(15)
Medium
(0)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
8.5
CVE-2025-62348
Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.
affected
Severity
High
Published
Feb 2, 2026
8.3
CVE-2025-22239
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.
affected
Severity
High
Published
Jun 13, 2025
8.4
CVE-2025-22237
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.
affected
Severity
High
Published
Jun 13, 2025
7.5
CVE-2024-38824
Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
affected
Severity
High
Published
Jun 13, 2025
8.3
CVE-2025-22236
Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).
affected
Severity
High
Published
Jun 13, 2025
7.1
CVE-2024-22232
A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file from a Salt master’s filesystem.
affected
Severity
High
Published
Nov 6, 2024
7.8
CVE-2023-20898
Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
affected
Severity
High
Published
Aug 14, 2023
8.8
CVE-2022-22967
An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
affected
Severity
High
Published
Jun 22, 2022
8.8
CVE-2022-22934
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.
affected
Severity
High
Published
Mar 29, 2022
8.8
CVE-2022-22941
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
affected
Severity
High
Published
Mar 29, 2022
8.8
CVE-2022-22936
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
affected
Severity
High
Published
Mar 29, 2022
7.5
CVE-2021-21996
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
affected
Severity
High
Published
Sep 7, 2021
7.8
CVE-2021-31607
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
affected
Severity
High
Published
Apr 26, 2021
7.4
CVE-2020-35662
In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
affected
Severity
High
Published
Mar 3, 2021
7.8
CVE-2020-28243
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
affected
Severity
High
Published
Mar 2, 2021
