{"api_version":"1","generated_at":"2026-04-23T09:53:08+00:00","cve":"CVE-2022-22934","urls":{"html":"https://cve.report/CVE-2022-22934","api":"https://cve.report/api/cve/CVE-2022-22934.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-22934","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-22934"},"summary":{"title":"CVE-2022-22934","description":"An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data.","state":"PUBLIC","assigner":"security@vmware.com","published_at":"2022-03-29 17:15:00","updated_at":"2023-12-21 18:45:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://github.com/saltstack/salt/releases%2C","name":"https://github.com/saltstack/salt/releases%2C","refsource":"","tags":[],"title":"","mime":"text/plain","httpstatus":"404","archivestatus":"404"},{"url":"https://saltproject.io/security_announcements/salt-security-advisory-release/%2C","name":"https://saltproject.io/security_announcements/salt-security-advisory-release/%2C","refsource":"","tags":[],"title":"Salt Security Advisory Release – Salt Project","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://repo.saltproject.io/","name":"https://repo.saltproject.io/","refsource":"MISC","tags":[],"title":"Salt Project Package Repo","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://saltproject.io/security_announcements/salt-security-advisory-release/,","name":"https://saltproject.io/security_announcements/salt-security-advisory-release/,","refsource":"MISC","tags":[],"title":"Salt Security Advisory Release – Salt Project","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/saltstack/salt/releases,","name":"https://github.com/saltstack/salt/releases,","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"404","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202310-22","name":"GLSA-202310-22","refsource":"GENTOO","tags":[],"title":"Salt: Multiple Vulnerabilities (GLSA 202310-22) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-22934","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22934","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"22934","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"saltstack","cpe5":"salt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-22934","qid":"502365","title":"Alpine Linux Security Update for salt"},{"cve":"CVE-2022-22934","qid":"710782","title":"Gentoo Linux Salt Multiple Vulnerabilities (GLSA 202310-22)"},{"cve":"CVE-2022-22934","qid":"751945","title":"SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:1060-1)"},{"cve":"CVE-2022-22934","qid":"751948","title":"SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:1058-1)"},{"cve":"CVE-2022-22934","qid":"751949","title":"SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:1057-1)"},{"cve":"CVE-2022-22934","qid":"751953","title":"OpenSUSE Security Update for salt (openSUSE-SU-2022:1059-1)"},{"cve":"CVE-2022-22934","qid":"752018","title":"SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:1059-1)"},{"cve":"CVE-2022-22934","qid":"994798","title":"Python (Pip) Security Update for salt (GHSA-2q4g-wfm6-5fpm)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-22934","ASSIGNER":"security@vmware.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"SaltStack Salt","version":{"version_data":[{"version_value":"SaltStack Salt prior to 3002.8, 3003.4, 3004.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Salt Masters do not sign pillar data with the minion’s public key."}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://saltproject.io/security_announcements/salt-security-advisory-release/,","url":"https://saltproject.io/security_announcements/salt-security-advisory-release/,"},{"refsource":"MISC","name":"https://github.com/saltstack/salt/releases,","url":"https://github.com/saltstack/salt/releases,"},{"refsource":"MISC","name":"https://repo.saltproject.io/","url":"https://repo.saltproject.io/"},{"refsource":"GENTOO","name":"GLSA-202310-22","url":"https://security.gentoo.org/glsa/202310-22"}]},"description":{"description_data":[{"lang":"eng","value":"An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Salt Masters do not sign pillar data with the minion’s public key, which can result in attackers substituting arbitrary pillar data."}]}},"nvd":{"publishedDate":"2022-03-29 17:15:00","lastModifiedDate":"2023-12-21 18:45:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:P/I:P/A:P","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":6.5,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"3003","versionEndExcluding":"3003.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"3004","versionEndExcluding":"3004.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"3002","versionEndExcluding":"3002.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"22934","Ordinal":"225539","Title":"CVE-2022-22934","CVE":"CVE-2022-22934","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"22934","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}