CNNVD-202511-3082 Information

CNNVD ID

CNNVD-202511-3082

Related CVE

CVE-2025-62349

• CNNVD Published: 2025-11-20

Description (Chinese)

SaltStack Salt是SaltStack公司的一套开源的用于管理基础架构的工具。该工具提供配置管理、远程执行等功能。 SaltStack Salt存在安全漏洞，该漏洞源于身份验证协议版本降级缺陷，可能导致恶意minion通过使用较旧的请求有效载荷格式绕过新的身份验证/安全功能，从而进行minion冒充并规避先前问题引入的保护措施。

Description (English)

SaltStack Salt is an open-source set of SaltStack ’ s tools for managing infrastructure. The tool provides configuration management, remote execution, etc. There is a security loophole in SaltStack Salt, which stems from the downgrading of the version of the authentication protocol, which could lead to maligning the minion by circumventing the new identification/security function by using the older request payload format, thereby impersonating and circumventing the protective measures introduced by previous issues.

Vulnerability Type

其他

Affected Vendor

SaltStack

Published

2025-11-20

Last Modified

2026-02-24

References

https://docs.saltproject.io/en/latest/topics/releases/3006.17.html https://docs.saltproject.io/en/latest/topics/releases/3007.9.html https://vigilance.fr/vulnerability/SaltStack-Salt-user-access-via-Authentication-downgrade-48821

Patch

https://docs.saltproject.io/en/latest/topics/releases/3006.17.html