Listen to this Post
How the CVE Works
The vulnerability exists in SaltStack’s GitFS `find_file` method, where user-controlled input from the `tgt_env` variable is passed directly to `os.path.join` without validation. An attacker can manipulate this input to traverse directories (../) and either delete arbitrary files or create unauthorized directories on the Salt Master server. Since the Master process typically runs with elevated privileges, this could lead to system compromise, configuration tampering, or service disruption.
DailyCVE Form
Platform: SaltStack
Version: 3006.0rc1-3006.11, 3007.0rc1-3007.3
Vulnerability: Path Traversal
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say
Check Salt Master version salt --versions-report | grep Salt Exploit PoC (simulated path traversal) curl -X POST http://salt-master/gitfs -d 'tgt_env=../../../etc/passwd' Mitigation (temporary workaround) chmod 700 /etc/salt/gitfs
How Exploit
- Attacker crafts malicious `tgt_env` payload with `../` sequences.
- Payload bypasses path sanitization in GitFS backend.
- Salt Master processes request, deleting/creating files at attacker-specified locations.
Protection from this CVE
- Upgrade to SaltStack 3006.12 or 3007.4.
- Restrict GitFS environment names to alphanumeric chars.
- Run Salt Master with least-privilege permissions.
Impact
- Unauthorized file deletion/modification.
- Privilege escalation potential.
- Master service disruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
