CVE-2023-20898
Description
Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Salt masters prior to 3005.2 and 3006.2, Git Providers cache directory base name collision across environments can cause data disclosure, corruption, or code execution.
Vulnerability
CVE-2023-20898 affects Salt masters running versions prior to 3005.2 or 3006.2. The root cause is that Git Providers use a cache directory base name that does not incorporate environment information. When the same repository is accessed in different environments, they all share the same cache directory, leading to potential data cross-contamination [4].
Exploitation
Exploitation requires local access to the Salt master (CVSS 4.2, AV:L/AC:H/PR:L/UI:N/S:C). An attacker with low privileges can cause Git Providers to read from the wrong environment by leveraging the cache collision. This can result in garbage data or the wrong data being used in operations such as state execution [2][4].
Impact
Successful exploitation can lead to wrongful data disclosure, wrongful executions, data corruption, or a crash of the master. The information disclosure is limited (C:L), and integrity impact is low (I:L), but the consequences may be severe in sensitive environments [2][4].
Mitigation
The Salt Project advises upgrading to Salt 3005.2 or 3006.2, which fix the issue by including environment information in the cache directory hash and adding a multiprocessing lock to prevent race conditions [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 3005.2 | 3005.2 |
saltPyPI | >= 3006.0rc1, < 3006.2 | 3006.2 |
Affected products
51- Git Providers/Git Providersdescription
- ghsa-coords50 versionspkg:pypi/saltpkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/saltbundle-libsodium&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-cffi&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-core&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-cryptography&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-cryptography-vectors&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-cython&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-kiwi&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-lxml&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-pycparser&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-pytz&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-pyxattr&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-pyzmq&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundlepy-rpm-macros&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/saltbundle-zeromq&distro=SUSE:EL-9:Update:Products:SaltBundle:Updatepkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP5pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/salt&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%20for%20RHEL,%20Liberty%20and%20Clones%209-CLIENT-TOOLSpkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Server%20Module%204.3pkg:rpm/suse/venv-salt-minion&distro=SUSE:EL-9:Update:Products:SaltBundle:Update
< 3005.2+ 49 more
- (no CPE)range: < 3005.2
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150500.4.19.1
- (no CPE)range: < 4.3.8-150400.3.77.1
- (no CPE)range: < 4.3.8-150400.3.61.2
- (no CPE)range: < 1.0.18-1.9.1
- (no CPE)range: < 1.15.1-1.6.1
- (no CPE)range: < 3.10.10-1.9.1
- (no CPE)range: < 3.3.2-1.9.2
- (no CPE)range: < 3.3.2-1.6.1
- (no CPE)range: < 0.29.32-1.6.1
- (no CPE)range: < 3.10.10-1.9.1
- (no CPE)range: < 9.24.43-1.9.1
- (no CPE)range: < 4.9.2-1.9.1
- (no CPE)range: < 2.17-1.6.1
- (no CPE)range: < 2022.1-1.9.1
- (no CPE)range: < 0.7.2-1.6.2
- (no CPE)range: < 24.0.1-1.9.2
- (no CPE)range: < 20211001.fc6c04e-1.6.1
- (no CPE)range: < 4.2.3-1.6.2
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150100.107.1
- (no CPE)range: < 3006.0-150200.108.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150500.4.19.1
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150500.4.19.1
- (no CPE)range: < 3006.0-150400.8.44.1
- (no CPE)range: < 3006.0-150500.4.19.1
- (no CPE)range: < 3006.0-150100.107.1
- (no CPE)range: < 3006.0-150200.108.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150100.107.1
- (no CPE)range: < 3006.0-150200.108.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-150300.53.60.1
- (no CPE)range: < 3006.0-3.40.1
- (no CPE)range: < 3006.0-150000.3.42.1
- (no CPE)range: < 3006.0-1.24.1
- (no CPE)range: < 3006.0-150000.3.42.1
- (no CPE)range: < 3006.0-150000.3.42.1
- (no CPE)range: < 3006.0-150000.3.42.1
- (no CPE)range: < 3006.0-1.24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-qvh6-3j7x-3hq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-20898ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2023-169.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOLghsaWEB
- saltproject.io/security-announcements/2023-08-10-advisoryghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMWJIHQZXHK6FH2E3IWAZCYIRI7FLVOL/mitre
- saltproject.io/security-announcements/2023-08-10-advisory/mitre
News mentions
0No linked articles in our index yet.