Token Validation Flaw in SaltStack's Salt Master Affects Security
CVE-2024-38822

2.7LOW

Key Information:

Vendor: Vmware
Status: Salt
Vendor: CVE Published:; 13 June 2025

What is CVE-2024-38822?

The Salt Master in SaltStack allows multiple methods to bypass minion token validation, which could enable a compromised minion to impersonate another minion. This vulnerability poses a significant security risk, as it undermines the authenticity of communications within the Salt ecosystem. Users should promptly review the affected versions and implement recommended patches to secure their environments.

Affected Version(s)

SALT 3006.x < 3006.12

SALT 3007.x < 3007.4

References

https://docs.saltproject.io/en/3006/topics/releases/3006....

https://docs.saltproject.io/en/3007/topics/releases/3007....

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jun 19, 2024

JSON

Vmware

What is CVE-2024-38822?

Affected Version(s)

References

CVSS V3.1

Timeline