Active Salt CVE Announcement - 2021-JAN-21

Several critical vulnerabilities have been discovered in Salt. These affect versions 3002 and earlier.

Most of these, we expect the Common Vulnerability Scoring System (CVSS) rating to be high or critical. We quickly took actions to remediate once made aware of the vulnerabilities.

We are preparing a CVE release to be generally available on Thursday, February 4th around noon MST. The CVE packages will be available for 3002.3, 3001.5, and 3000.7 and patches for older versions.

The release will only contain the patches available to resolve and remediate the identified vulnerabilities. We recommend reviewing the article Hardening Salt to ensure you are actively following SaltStack’s best practices for securing your Salt Environment. These ensure you are safeguarded.

We advise quickly applying the CVE release as soon as available. Please contact us if you have any questions or comments at saltproject-security.pdl@broadcom.com.