Bugzilla – Bug 1219430
VUL-0: CVE-2024-22231: salt: Syndic cache directory creation is vulnerable to a directory traversal attack.
Last modified: 2024-07-12 16:30:32 UTC
Salt security advisory release - 2024-JAN-31 CVE-2024-22231 Description: Syndic cache directory creation is vulnerable to a directory traversal attack. Impact: An arbitrary directory can be created on a Salt master. Solution: Validate directory creation path. How to Mitigate: Upgrade Salt masters to 3005.5 or 3006.6 Attribution: Yudi Zhao (Huawei Nebula Security Lab), Chenwei Jiang (Huawei Nebula Security Lab) Severity Rating: 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N References: https://saltproject.io/security-announcements/2024-01-31-advisory/
Affected packages: - SUSE:ALP:Source:Standard:1.0/salt - SUSE:SLE-15-SP1:Update/salt - SUSE:SLE-15-SP2:Update/salt - SUSE:SLE-15-SP3:Update/salt - SUSE:SLE-15-SP4:Update/salt - SUSE:SLE-15-SP5:Update/salt - openSUSE:Factory/salt Upstream fix: https://github.com/saltstack/salt/commit/e0cdb80b55123f4a024759ffcf2b3f0e0788e7ab
This is an autogenerated message for OBS integration: This bug (1219430) was mentioned in https://build.opensuse.org/request/show/1143454 Factory / salt
All submissions to the affected codestreams have been created. I'm setting the assignee back to Security team. Thanks.
SUSE-SU-2024:0510-1: An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1193948, 1211649, 1215963, 1216284, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-719 Sources used: openSUSE Leap 15.5 (src): salt-3006.0-150500.4.29.1 SUSE Linux Enterprise Micro 5.5 (src): salt-3006.0-150500.4.29.1 Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.29.1 Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.29.1 Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0509-1: An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1193948, 1211649, 1215963, 1216284, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-719 Sources used: SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): salt-3006.0-150400.8.54.1 SUSE Manager Proxy 4.3 (src): salt-3006.0-150400.8.54.1 SUSE Manager Retail Branch Server 4.3 (src): salt-3006.0-150400.8.54.1 SUSE Manager Server 4.3 (src): salt-3006.0-150400.8.54.1 openSUSE Leap 15.4 (src): salt-3006.0-150400.8.54.1 openSUSE Leap Micro 5.3 (src): salt-3006.0-150400.8.54.1 openSUSE Leap Micro 5.4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): salt-3006.0-150400.8.54.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): salt-3006.0-150400.8.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0508-1: An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1193948, 1211649, 1215963, 1216284, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-719 Sources used: openSUSE Leap 15.3 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.70.1 SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.70.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0507-1: An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1193948, 1211649, 1215963, 1216284, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-719 Sources used: SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.118.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.118.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.118.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0506-1: An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. Category: security (important) Bug References: 1193948, 1211649, 1215963, 1216284, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-719 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.117.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.117.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1525-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33468](https://smelt.suse.de/incident/33468/) Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.36.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1522-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (moderate) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33453](https://smelt.suse.de/incident/33453/) Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1521-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (moderate) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33452](https://smelt.suse.de/incident/33452/) Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202404:15258-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (moderate) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33450](https://smelt.suse.de/incident/33450/) Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202404:15257-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (moderate) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33447](https://smelt.suse.de/incident/33447/) Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1518-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33451](https://smelt.suse.de/incident/33451/) Sources used: SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.54.3 SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.54.3 SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.54.3 SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.54.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1517-1: An update that solves two vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: MSQA-760 Maintenance Incident: [SUSE:Maintenance:33448](https://smelt.suse.de/incident/33448/) Sources used: SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.52.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202404:15254-1: An update that solves two vulnerabilities, contains two features and has five security fixes can now be installed. Category: security (moderate) Bug References: 1211649, 1211888, 1216850, 1218482, 1219001, 1219430, 1219431 CVE References: CVE-2024-22231, CVE-2024-22232 Jira References: ECO-3319, MSQA-760 Maintenance Incident: [SUSE:Maintenance:33405](https://smelt.suse.de/incident/33405/) Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.