Three related critical vulnerabilities have been discovered in Salt versions 3002 and earlier.
Two of these vulnerabilities are expected to be rated as high/critical and the other is expected to be low based on the Common Vulnerability Scoring System (CVSS). Once SaltStack became aware of the vulnerabilities, we quickly took actions to remediate them.
We are preparing a CVE release to be available on Tuesday, November 3rd at 10:00 MST. The CVE packages will be available for 3002.1, 3001.3, and 3000.5 and patches for older versions.