VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 5, 2023· Updated Feb 13, 2025

CVE-2023-20897

CVE-2023-20897

Description

Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-20897 describes a denial-of-service vulnerability in Salt masters prior to 3005.2 or 3006.2 caused by malformed packets depleting worker threads on the request server.

Vulnerability

Description CVE-2023-20897 is a denial-of-service (DoS) vulnerability in Salt masters prior to versions 3005.2 or 3006.2. The root cause is improper handling of errors in decoded messages on the request server. An attacker can send a crafted sequence of malformed packets ("bad packets") to the master's request server, and once the number of such packets equals the number of worker threads, all worker threads become occupied handling these faulty messages. [2][4]

Exploitation

An unauthenticated attacker can exploit this vulnerability over the network by sending a series of specially crafted packets to port 4506 (the minion return port). No special access or credentials are required. Each bad packet consumes a worker thread, and because the errors are not properly handled, the threads are not released. Once the attacker sends a number of packets equal to the configured worker thread count, the master becomes unresponsive to legitimate return requests. [2][4]

Impact

Successful exploitation results in a denial-of-service condition: the Salt master stops processing return requests from minions until it is manually restarted. This renders the master unable to manage infrastructure, disrupting automation and configuration management operations. The CVSS score is 5.3 (Medium) with a vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, reflecting the network-based, low-complexity attack that requires no privileges and causes limited availability impact. [2]

Mitigation

The vulnerability is fixed in Salt versions 3005.2 and 3006.2. Administrators should upgrade affected Salt masters to these patched versions. As an interim mitigation, access to port 4506 from untrusted sources can be firewalled, and security scanning software should be restricted to prevent triggering the vulnerability. [4]

References
  1. NVD - CVE-2023-20897
  2. Saltproject.io - Salt security advisory release

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
saltPyPI
< 3005.23005.2
saltPyPI
>= 3006.0rc1, < 3006.23006.2

Affected products

51

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.