Specially crafted url can be created which leads to a directory traversal in the salt file server
CVE-2024-22232

7.7HIGH

Key Information:

Vendor: Vmware
Status: Salt Project
Vendor: CVE Published:; 27 June 2024

Summary

A directory traversal vulnerability in the Salt File Server allows an attacker to craft a specially designed URL that exploits the server's file path handling. This vulnerability enables a malicious user to access arbitrary files on the Salt master’s filesystem, potentially leading to unauthorized disclosure of sensitive information. Admins of affected systems should implement security measures and updates to mitigate this vulnerability and protect against unauthorized file access.

Affected Version(s)

Salt Project 0 < 3005.5, 3006.6

References

https://saltproject.io/security-announcements/2024-01-31-...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 27, 2024
Vulnerability Reserved
Jan 8, 2024