CVE-2021-25281

Published: Feb 27, 2021

Modified: Nov 19, 2024

PUBLISHED

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/saltstack/salt/releases

https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

FEDORA-2021-904a2dbc0c

vendor-advisory

FEDORA-2021-5756fbf8a6

vendor-advisory

FEDORA-2021-43eb5584ad

vendor-advisory

GLSA-202103-01

vendor-advisory

http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html

[debian-lts-announce] 20211110 [SECURITY] [DLA 2815-1] salt security update

mailing-list

DSA-5011

vendor-advisory

GLSA-202310-22

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-25281

Description

Affected Products

References