CVE-2021-22004: 
Python vulnerability analysis and mitigation

CVE-2021-22004 is a security vulnerability discovered in SaltStack Salt versions before 3003.3. The vulnerability allows a malicious actor to subvert the proper behavior of the salt minion software by exploiting the installer's acceptance and usage of a minion config file at C:\salt\conf if that file is in place before the installer is run (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, and a CVSS v2.0 Base Score of 4.4 (MEDIUM). The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) (NVD).

If exploited, this vulnerability could allow a malicious actor to compromise the salt minion software's intended behavior by pre-positioning a malicious configuration file. This could potentially lead to unauthorized control or manipulation of the salt minion's operations (NVD).

The vulnerability has been fixed in SaltStack Salt version 3003.3. Users are advised to upgrade to this version or later. The fix has been distributed through various channels including Fedora's package management system (Fedora Advisory).