GHSA-jh7c-xh74-h76f

Source

https://github.com/advisories/GHSA-jh7c-xh74-h76f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jh7c-xh74-h76f/GHSA-jh7c-xh74-h76f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jh7c-xh74-h76f

Aliases

CVE-2025-22236

Published

2025-06-13T09:30:33Z

Modified

2025-06-13T22:27:16.110881Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Salt has minion event bus authorization bypass vulnerability

Details

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2025-06-13T07:15:20Z",
    "github_reviewed_at": "2025-06-13T21:18:03Z"
}

References

Affected packages

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3007.0

Fixed

3007.4

Affected versions

3007.*

3007.0

3007.1

3007.2

3007.3

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3006.0

Fixed

3006.12

Affected versions

3006.*

3006.0

3006.1

3006.2

3006.3

3006.4

3006.5

3006.6

3006.7

3006.8

3006.9

3006.10

3006.11