9.8

CVE-2021-25281

Exploit
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SaltstackSalt Version < 2015.8.10
SaltstackSalt Version >= 2015.8.11 < 2015.8.13
SaltstackSalt Version >= 2016.3.0 < 2016.3.4
SaltstackSalt Version >= 2016.3.5 < 2016.3.6
SaltstackSalt Version >= 2016.3.7 < 2016.3.8
SaltstackSalt Version >= 2016.3.9 < 2016.11.3
SaltstackSalt Version >= 2016.11.4 < 2016.11.5
SaltstackSalt Version >= 2016.11.7 < 2016.11.10
SaltstackSalt Version >= 2017.5.0 < 2017.7.8
SaltstackSalt Version >= 2018.2.0 <= 2018.3.5
SaltstackSalt Version >= 2019.2.0 < 2019.2.5
SaltstackSalt Version >= 2019.2.6 < 2019.2.8
SaltstackSalt Version >= 3000 < 3000.6
SaltstackSalt Version >= 3001 < 3001.4
SaltstackSalt Version >= 3002 < 3002.5
FedoraprojectFedora Version32
FedoraprojectFedora Version33
FedoraprojectFedora Version34
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 72.95% 0.994
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/saltstack/salt/releases
Third Party Advisory
Release Notes
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
Third Party Advisory
Mailing List
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
Vendor Advisory
https://security.gentoo.org/glsa/202103-01
Third Party Advisory
https://security.gentoo.org/glsa/202310-22
Third Party Advisory
https://www.debian.org/security/2021/dsa-5011
Third Party Advisory
http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html
Third Party Advisory
Exploit
VDB Entry
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
Vendor Advisory