CVE-2025-22240

Summary

Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.

Affected Software

VendorProductVersion RangeStatus
VMwareSALT3006.x < 3006.12affected
VMwareSALT3007.x < 3007.4affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References