CVE-2025-22242

Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.3 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
https://docs.saltproject.io/en/3007/topics/releases/3007.4.html

Configurations

No configuration.

History

17 Jun 2025, 18:15

Type	Values Removed	Values Added
CWE		CWE-400

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) Denegación de servicio del proceso de trabajo mediante la operación de lectura de archivos. Existe una vulnerabilidad en el método "pub_ret" del maestro, que está expuesta a todos los minions. El valor de entrada "jid", sin depurar, se utiliza para construir una ruta que posteriormente se abre para lectura. Un atacante podría explotar esta vulnerabilidad intentando leer un nombre de archivo que no devuelva datos, por ejemplo, atacando un nodo de canalización en el sistema de archivos proc.

13 Jun 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-13 07:15

Updated : 2025-06-17 18:15

NVD link : CVE-2025-22242

Mitre link : CVE-2025-22242

CVE.ORG link : CVE-2025-22242

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

5.6 /10