GHSA-4j59-vv55-q6h3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4j59-vv55-q6h3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-4j59-vv55-q6h3/GHSA-4j59-vv55-q6h3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4j59-vv55-q6h3
- Aliases
-
- CVE-2024-38825
- Published
- 2025-06-13T09:30:33Z
- Modified
- 2025-06-13T22:12:20.832473Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Salt's salt.auth.pki module does not properly authenticate callers
- Details
-
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
- Database specific
{ "cwe_ids": [ "CWE-287" ], "github_reviewed_at": "2025-06-13T21:15:54Z", "nvd_published_at": "2025-06-13T07:15:20Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-38825
- https://github.com/saltstack/salt/commit/5ff18fd0ececdfd083ddce693c3ccef30e44f155
- https://github.com/saltstack/salt/commit/d7cb64e44db5f82fd615373f5dca2eb1fb29bbab
- https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
- https://docs.saltproject.io/en/3007/topics/releases/3007.4.html
- https://github.com/saltstack/salt
Affected packages
PyPI / salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
PyPI / salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt