Primary

Context

Salt Project PKI Authentication Bypass Vulnerability in the Auth Module

Vulnerability

A vulnerability exists in the Salt Project's authentication module for public key infrastructure (PKI) management. The issue arises because the module fails to properly authenticate callers. Instead of requiring access to a private key for validation, the module accepts authentication attempts based solely on a public certificate, which is checked against a certificate authority (CA) certificate. This flaw allows for improper authentication in PKI-related operations.

Impact

Exploitation of this vulnerability could lead to unauthorized authentication in PKI operations, potentially allowing a caller to impersonate another entity without proper validation.

Remediation

Users can upgrade to Salt versions 3007.4 or 3006.12, both of which include the necessary fix for this vulnerability.

Added: Jun 13, 2025, 7:41 AM

Updated: Jun 13, 2025, 7:41 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Salt Project PKI Authentication Bypass Vulnerability in the Auth Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating