CVE-2023-20898
CVE-2023-20898 is a medium-severity vulnerability in Saltstack Salt with a CVSS 3.x base score of 4.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 3.x base score 4.2)
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Saltstack Salt
- Published:
- Last modified:
Description
Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
Frequently asked questions
- What is CVE-2023-20898?
- Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
- How severe is CVE-2023-20898?
- CVE-2023-20898 has a CVSS 3.x base score of 4.2, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2023-20898 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-20898?
- CVE-2023-20898 affects Saltstack Salt. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-20898?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-20898 published?
- CVE-2023-20898 was published on 2023-09-05 and last updated on 2026-06-17.
References
- https://lists.fedoraproject.org/archives/list/[email protected]/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOL/
- https://saltproject.io/security-announcements/2023-08-10-advisory/
Affected products (1)
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
More vulnerabilities in Saltstack Salt
- CVE-2013-6617 — Critical (CVSS 10.0): The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it…
- CVE-2013-4437 — Critical (CVSS 10.0): Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to…
- CVE-2021-33226 — Critical (CVSS 9.8): Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func…
- CVE-2021-25315 — Critical (CVSS 9.8): CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed…
- CVE-2021-3197 — Critical (CVSS 9.8): An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection…
- CVE-2021-3148 — Critical (CVSS 9.8): An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in…