The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

Affected Packages

PyPI salt

Affected versions: 3006.0rc1 (fixed in 3006.12)

PyPI salt

Affected versions: 3007.0rc1 (fixed in 3007.4)

Related CVEs

CVE-2024-38825

Key Information

GHSA ID

GHSA-4j59-vv55-q6h3

Published

June 13, 2025 9:30 AM

Last Modified

June 13, 2025 9:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

salt

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.