Main Vulnerability Database SB2025072895

SB2025072895 - SUSE update for salt

Published: July 28, 2025

Security Bulletin ID SB2025072895

Severity

Medium

Patch available

YES

Number of vulnerabilities 12

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Improper authentication (CVE-ID: CVE-2024-38822)

The vulnerability allows a remote user to bypass authentication process.

The vulnerability exists due to multiple methods in the salt master skip minion token validation. A remote user can impersonate another minion.

2) Insufficient verification of data authenticity (CVE-ID: CVE-2024-38823)

The vulnerability allows a remote user to perform replay attacks.

The vulnerability exists due to missing authenticity checks when not using a TLS encrypted transport. A remote user can perform replay attacks.

3) Path traversal (CVE-ID: CVE-2024-38824)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in recv_file method. A remote user can write arbitrary files to the master cache directory.

4) Improper Authentication (CVE-ID: CVE-2024-38825)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the salt.auth.pki module. The "password" field contains a public certificate which is validated against a CA certificate by the module.

5) Improper Authorization (CVE-ID: CVE-2025-22236)

The vulnerability allows a local user to impersonate other minions.

The vulnerability exists due to improper authorization. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions.

6) Improper Authorization (CVE-ID: CVE-2025-22237)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper authorization. An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.

7) Path traversal (CVE-ID: CVE-2025-22238)

The vulnerability allows a local user to perform a directory traversal attack.

The vulnerability exists due to input validation error in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack, which could be leveraged to write or overwrite 'cache' files outside of the cache directory.

8) Insufficient verification of data authenticity (CVE-ID: CVE-2025-22239)

The vulnerability allows a local user to inject arbitrary events on Salt Master.

The vulnerability exists due to insufficient verification of data authenticity. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.

9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-22240)

The vulnerability allows a local user to manipulate with files and directories.

The vulnerability exists due to improper input validation in find_file method of the GitFS class. A local user can create arbitrary directories or delete any file on the Master's process without necessary permissions.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-22241)

The vulnerability allows a local user to bypass implemented security restrictions.

File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration.

11) Input validation error (CVE-ID: CVE-2025-22242)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the pub_ret method. A local user can attempt to read from a filename that will not return any data and perform a denial of service (DoS) attack.

12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-47287)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive logging in the multipart/form-data parser. A remote attacker can force the application to generate an extremely high volume of logs and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2025/suse-su-202502534-1/

Vulnerable Software

SUSE Linux Enterprise Server 15 SP3: LTSS
SUSE Linux Enterprise Micro for Rancher: 5.2
SUSE Linux Enterprise Server for SAP Applications 15: SP3
SUSE Linux Enterprise Server 15: SP3
SUSE Linux Enterprise High Performance Computing LTSS 15: SP3
SUSE Linux Enterprise High Performance Computing 15: SP3
SUSE Enterprise Storage: 7.1
SUSE Linux Enterprise Micro: 5.1 - 5.2
openSUSE Leap: 15.3
salt-bash-completion: before 3006.0-150300.53.94.1
salt-fish-completion: before 3006.0-150300.53.94.1
salt-zsh-completion: before 3006.0-150300.53.94.1
salt-standalone-formulas-configuration: before 3006.0-150300.53.94.1
salt-ssh: before 3006.0-150300.53.94.1
salt-master: before 3006.0-150300.53.94.1
salt-api: before 3006.0-150300.53.94.1
salt-transactional-update: before 3006.0-150300.53.94.1
salt-doc: before 3006.0-150300.53.94.1
salt-syndic: before 3006.0-150300.53.94.1
salt-cloud: before 3006.0-150300.53.94.1
salt-proxy: before 3006.0-150300.53.94.1
python3-salt: before 3006.0-150300.53.94.1
python3-salt-testsuite: before 3006.0-150300.53.94.1
salt: before 3006.0-150300.53.94.1
salt-minion: before 3006.0-150300.53.94.1