CVE-2023-20898

NameCVE-2023-20898
DescriptionGit Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1051504

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie, jessie (lts)2014.1.13+ds-3+deb8u2vulnerable
stretch (security), stretch (lts), stretch2016.11.2+ds-1+deb9u10vulnerable
buster (security), buster, buster (lts)2018.3.4+dfsg1-6+deb10u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(unfixed)end-of-life
saltsourcestretch(unfixed)end-of-life
saltsourcebuster(unfixed)end-of-life
saltsource(unstable)(unfixed)1051504

Notes

[buster] - salt <end-of-life> (EOL in buster LTS)
https://saltproject.io/security-announcements/2023-08-10-advisory/
Search for package or bug name: Reporting problems