Improper Access Control Affecting salt package, versions [,3005.4) [3006.0rc1,3006.4)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SALT-6141124
- published 1 Jan 2024
- disclosed 1 Jan 2024
- credit Unknown
Introduced: 1 Jan 2024
CVE-2023-34049 Open this link in a new tabHow to fix?
Upgrade salt to version 3005.4, 3006.4 or higher.
Overview
salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.
Affected versions of this package are vulnerable to Improper Access Control. The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH.