Salt Master Arbitrary Event Injection Vulnerability

Vulnerability

A vulnerability exists in Salt Master versions through 3006.12 and in 3007.0 and later, allowing authorized minions to inject arbitrary events into the master's event bus. This is possible because the master's '_minion_event' method can be exploited by minions with access to a minion key.

Impact

Exploitation of this vulnerability allows for unauthorized event injection on the master's event bus, which could be used to disrupt normal operations or manipulate event-driven processes.

Added: Jun 13, 2025, 7:34 AM

Updated: Jun 13, 2025, 7:34 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

3.5

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

3.5

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Salt Master Arbitrary Event Injection Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating