2372688 – (CVE-2025-22237) CVE-2025-22237 salt: Code injection in salt project

Bug 2372688 (CVE-2025-22237) - CVE-2025-22237 salt: Code injection in salt project

Summary: CVE-2025-22237 salt: Code injection in salt project

Keywords:
Status:	NEW
Alias:	CVE-2025-22237
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2372768 2372770 2372773 2372775
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-13 14:01 UTC by OSIDB Bzimport
Modified:	2025-06-13 18:18 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-13 14:01:12 UTC

An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process.

Note You need to log in before you can comment on or make changes to this bug.