VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 13, 2025· Updated Feb 26, 2026

CVE-2024-38824 salt advisory

CVE-2024-38824

Description

Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal flaw in Salt's recv_file method allows an authenticated minion to write arbitrary files into the master cache directory, potentially leading to remote code execution.

Vulnerability

Overview

CVE-2024-38824 is a directory traversal vulnerability found in the recv_file method of Salt, an open-source automation and configuration management platform [1]. The flaw allows an attacker to write arbitrary files to the master's cache directory by bypassing path restrictions, enabling the placement of malicious content outside the intended cache boundaries [3][4].

Exploitation

Context

Exploitation requires an authenticated minion (privilege level: Low, as per CVSS v3.1), but no user interaction is needed [3][4]. The attacker can leverage standard Salt communication channels to send a crafted file request containing path traversal sequences (e.g., ../). The vulnerable recv_file method fails to properly sanitize or validate the file path, allowing the attacker to write files to arbitrary locations within the master's cache directory [3][4].

Impact

A successful attack can result in high impact to both confidentiality and integrity (CVSS v3.1 Base Score 9.6, AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) [3][4]. By writing files with controlled content to the master cache, an attacker may achieve remote code execution on the Salt master, pivot to other systems managed by Salt, or disrupt the infrastructure. The attack scope is changed (S:C), meaning the compromised resource impacts assets beyond the original vulnerable component.

Mitigation

The vulnerability is addressed in Salt versions 3006.12 and 3007.4 [3][4]. Users are strongly advised to upgrade to these or newer releases. No workarounds are documented; upgrading is the only reliable mitigation.

References
  1. GitHub - saltstack/salt: Software to automate the management and configuration of infrastructure and applications at scale.
  2. Salt 3006.12 release notes
  3. Salt 3007.4 release notes

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
saltPyPI
>= 3007.0rc1, < 3007.43007.4
saltPyPI
>= 3006.0rc1, < 3006.123006.12

Affected products

49

Patches

3
1245edf40057
https://github.com/saltstack/saltvia osv
commit
619f4e26e71b
https://github.com/saltstack/saltvia osv
commit
c4ad23f0f313

Add test and fix for file_recv cve

https://github.com/saltstack/saltDaniel A. WozniakOct 23, 2024via ghsa
commit
2 files changed · +32 4
  • salt/master.py+3 4 modified
    @@ -1560,11 +1560,10 @@ def _file_recv(self, load):
             # Can overwrite master files!!
             return False
 
-        cpath = os.path.join(
-            self.opts["cachedir"], "minions", load["id"], "files", normpath
-        )
+        rpath = os.path.join(self.opts["cachedir"], "minions", load["id"], "files")
+        cpath = os.path.join(rpath, normpath)
         # One last safety check here
-        if not os.path.normpath(cpath).startswith(self.opts["cachedir"]):
+        if not salt.utils.verify.clean_path(rpath, cpath):
             log.warning(
                 "Attempt to write received file outside of master cache "
                 "directory! Requested path: %s. Access denied.",
  • tests/pytests/integration/master/test_recv_file.py+29 0 added
    @@ -0,0 +1,29 @@
+import getpass
+import pathlib
+
+import salt.channel.client
+
+
+def test_file_recv_path(salt_master, salt_minion):
+    config = salt_minion.config.copy()
+    config["master_uri"] = f"tcp://127.0.0.1:{salt_master.config['ret_port']}"
+    keyfile = f".{getpass.getuser()}_key"
+    data = b"asdf"
+    load_path_list = ["..", "..", "..", keyfile]
+    cachedir = salt_master.config["cachedir"]
+    assert (pathlib.Path(cachedir) / keyfile).exists()
+    assert (pathlib.Path(cachedir) / keyfile).read_bytes() != data
+    with salt.channel.client.ReqChannel.factory(config, crypt="aes") as channel:
+        load = {
+            "cmd": "_file_recv",
+            "id": salt_minion.config["id"],
+            "path": load_path_list,
+            "size": len(data),
+            "tok": channel.auth.gen_token(b"salt"),
+            "loc": 0,
+            "data": b"asdf",
+        }
+        ret = channel.send(load)
+    assert ret is False
+    assert (pathlib.Path(cachedir) / keyfile).exists()
+    assert (pathlib.Path(cachedir) / keyfile).read_bytes() != data

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.