Security News > 2020 > November > SaltStack reveals new critical vulnerabilities, patch now

SaltStack, a VMware-owned company, has revealed critical vulnerabilities impacting Salt versions 3002 and prior, with patches available as of today.
While the vulnerabilities were disclosed today, it is worth noting that fixes for all three vulnerabilities were committed and disclosed to GitHub much earlier.
The advance partial disclosure on these critical vulnerabilities is a cautious move on SaltStack's part given the widespread attacks that had hit vulnerable Salt instances earlier this year.
"Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System. Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them," stated the October 30th advisory.
The company has also made patches available for older versions, such as 2019.x. SaltStack has provided some tips on how to harden your Salt instances, in addition to patching for new vulnerabilities that may be discovered from time to time.
News URL
Related news
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- OpenAI now pays researchers $100,000 for critical vulnerabilities (source)
- Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)