Vulnerability CVE-2023-20898: Information

Description

Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-20898
Published: Sept. 5, 2023
Modified: Sept. 14, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
saltsisyphus3006.3-alt23007.0-alt1ALT-PU-2023-5558-1329380Fixed
saltsisyphus_e2k3006.3-alt23006.3-alt3.2ALT-PU-2023-5583-1-Fixed
saltsisyphus_riscv643006.3-alt23007.0-alt1ALT-PU-2023-5612-1-Fixed
saltp103006.3-alt33007.0-alt0.p10.1ALT-PU-2023-5717-2329223Fixed
saltp10_e2k3006.3-alt33006.3-alt3.2ALT-PU-2023-5868-1-Fixed
saltc10f13005.2-alt0.c10.13005.5-alt1ALT-PU-2023-5591-2329378Fixed
saltc9f23005.2-alt0.c9.23005.4-alt0.c9.1ALT-PU-2023-5935-5319698Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://saltproject.io/security-announcements/2023-08-10-advisory/
  • Mitigation
  • Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOL/

      1. Configuration 1

        cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
        Start including
        3006.0
        End excliding
        3006.2
        cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
        End excliding
        3005.2
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.1
    Back to top