venv-salt-minion (SUSE:EL-9:Update:Products:SaltBundle:Update) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:EL-9:Update:Products:SaltBundle:Update package venv-salt-minion, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (33)
CVE-2024-38824 — CVSS 9.6 (critical): Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
CVE-2024-6345 — CVSS 8.8 (high): A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download…
CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API…
CVE-2025-22236 — CVSS 8.1 (high): Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on…
CVE-2025-22239 — CVSS 8.1 (high): Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events…
CVE-2025-62348 — CVSS 7.8 (high): Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module…
CVE-2024-22232 — CVSS 7.7 (high): A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary…
CVE-2024-7592 — CVSS 7.5 (high): There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that…
CVE-2025-67726 — CVSS 7.5 (high): Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing…
CVE-2025-67725 — CVSS 7.5 (high): Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP…
CVE-2024-3651 — CVSS 7.5 (high): A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue…
CVE-2025-47287 — CVSS 7.5 (high): Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain…
CVE-2024-4032 — CVSS 7.5 (high): The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally…
CVE-2025-13836 — CVSS 7.5 (high): When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This…
CVE-2024-0397 — CVSS 7.4 (high): A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods…
CVE-2023-34049 — CVSS 6.7 (medium): The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run…
CVE-2025-22237 — CVSS 6.7 (medium): An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause…
CVE-2024-38825 — CVSS 6.4 (medium): The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated…
CVE-2025-22240 — CVSS 6.3 (medium): Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using…
CVE-2024-5569 — CVSS 6.2 (medium): A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is…
CVE-2025-62349 — CVSS 6.2 (medium): Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer…
CVE-2023-28370 — CVSS 6.1 (medium): Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an…
CVE-2025-22242 — CVSS 5.6 (medium): Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed…
CVE-2025-22241 — CVSS 5.6 (medium): File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create…
CVE-2024-6923 — CVSS 5.5 (medium): There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when…
CVE-2025-67724 — CVSS 5.4 (medium): Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used…
CVE-2023-20897 — CVSS 5.3 (medium): Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to…
CVE-2024-22231 — CVSS 5.0 (medium): Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create…
CVE-2024-37891 — CVSS 4.4 (medium): urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the…
CVE-2023-20898 — CVSS 4.2 (medium): Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or…
CVE-2025-22238 — CVSS 4.2 (medium): Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which…
CVE-2024-38823 — CVSS 2.7 (low): Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport.
CVE-2024-38822 — CVSS 2.7 (low): Multiple methods in the salt master skip minion token validation. Therefore a misbehaving minion can impersonate another minion.