CVE-2024-38825 — Salt's salt.auth.pki module does not properly authenticate callers

Description

The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

How to fix CVE-2024-38825

To remediate CVE-2024-38825, upgrade the affected package to a fixed version below.

—upgrade to 3006.12 or later

Is CVE-2024-38825 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3006.0rc1, < 3006.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-38825
PATCHgithub.com/saltstack/salt
WEBdocs.saltproject.io/en/3006/topics/releases/3006.12.html
WEBdocs.saltproject.io/en/3007/topics/releases/3007.4.html