Privilege Escalation Affecting salt package, versions [,3001.8) [3002rc1, 3002.7) [3003rc1,3003.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SALT-1583864
- published 9 Sep 2021
- disclosed 9 Sep 2021
- credit Salt Windows Working Group
Introduced: 9 Sep 2021
CVE-2021-22004 Open this link in a new tabHow to fix?
Upgrade salt to version 3001.8, 3002.7, 3003.3 or higher.
Overview
salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.
Affected versions of this package are vulnerable to Privilege Escalation. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behavior of the given minion software.
The malicious actor must have access to a Windows system, permission to create directories and files on the root of the system drive, and create a malicious minion config at C:\salt\conf.