{"id":"GHSA-c46w-gr7f-jm2p","summary":"Salt vulnerable to arbitrary event injection","details":"Arbitrary event injection on Salt Master. The master's \"_minion_event\" method can be used by and authorized minion to send arbitrary events onto the master's event bus.","aliases":["CVE-2025-22239"],"modified":"2025-06-13T22:12:21.069355Z","published":"2025-06-13T09:30:33Z","database_specific":{"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2025-06-13T21:21:04Z","nvd_published_at":"2025-06-13T07:15:21Z","cwe_ids":["CWE-285"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22239"},{"type":"WEB","url":"https://github.com/saltstack/salt/commit/41d834bf800d86fc496e4fac2d3875fc2aca7c62"},{"type":"WEB","url":"https://docs.saltproject.io/en/3006/topics/releases/3006.12.html"},{"type":"WEB","url":"https://docs.saltproject.io/en/3007/topics/releases/3007.4.html"},{"type":"PACKAGE","url":"https://github.com/saltstack/salt"}],"affected":[{"package":{"name":"salt","ecosystem":"PyPI","purl":"pkg:pypi/salt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3006.0rc1"},{"fixed":"3006.12"}]}],"versions":["3006.0","3006.0rc1","3006.0rc2","3006.0rc3","3006.1","3006.10","3006.11","3006.2","3006.3","3006.4","3006.5","3006.6","3006.7","3006.8","3006.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-c46w-gr7f-jm2p/GHSA-c46w-gr7f-jm2p.json"}},{"package":{"name":"salt","ecosystem":"PyPI","purl":"pkg:pypi/salt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3007.0rc1"},{"fixed":"3007.4"}]}],"versions":["3007.0","3007.0rc1","3007.1","3007.2","3007.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-c46w-gr7f-jm2p/GHSA-c46w-gr7f-jm2p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L"}]}