Three related critical vulnerabilities have been discovered in Salt versions 3002 and earlier. 

Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System (CVSS). Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them. 

We are preparing a CVE release to be available on Tuesday, November 3rd at 10:00 MST. The CVE packages will be available for 3002.1, 3001.3, and 3000.5 and patches for older versions. 

The releases will only contain the patches available to resolve and remediate the identified vulnerabilities. We recommend you review this article to ensure you are actively following SaltStack’s best practices for securing your Salt Environment: Hardening Salt (https://docs.saltstack.com/en/latest/topics/hardening.html#general-hardening-tips). These steps and best practices would ensure you are safeguarded. 

Given the critical nature of the vulnerability, we are advising all users to quickly apply the CVE release as soon as the packages are available. Please reach out if you have any questions or comments. You can reach us at security@saltstack.com.