CVE-2025-62349
MEDIUM6.2EPSS 0.02%Salt Authentication Protocol Version Downgrade Allows Minion Impersonation
發布日:2026/1/30修改日:2026/2/3
描述
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.
受影響套件(1)
- PyPI/salt>= 3006.12, < 3006.17
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.2 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62349
- PATCHhttps://github.com/saltstack/salt
- WEBhttps://docs.saltproject.io/en/latest/topics/releases/3006.17.html
- WEBhttps://docs.saltproject.io/en/latest/topics/releases/3007.9.html
- WEBhttps://github.com/saltstack/salt/commit/3d5708acae16d039a1e2b5529c8e14a0d3255611
- WEBhttps://github.com/saltstack/salt/issues/68467