PT-2021-5177 · Saltstack+3 · Saltstack Salt+3

Published

2016-11-21

·

Updated

2024-08-08

·

CVE-2021-25281

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SaltStack Salt versions prior to 3002.5
Description The issue is related to improper access restriction in SaltStack Salt, allowing a remote attacker to gain unauthorized access to restricted functions. Specifically, salt-api does not honor eauth credentials for the wheel async client, enabling an attacker to remotely run any wheel modules on the master.
Recommendations For versions prior to 3002.5, update to version 3002.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the wheel async client until a patch is available. Avoid using the wheel async client in salt-api until the issue is resolved.

Exploit

Fix

Improper Authentication

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2016-2317
ALT-PU-2017-1436
ALT-PU-2017-2801
ALT-PU-2018-2416
ALT-PU-2019-2322
ALT-PU-2019-2359
ALT-PU-2020-1935
ALT-PU-2020-1949
ALT-PU-2020-2668
ALT-PU-2020-2697
ALT-PU-2021-1590
ALT-PU-2021-1591
ALT-PU-2021-1982
ALT-PU-2021-2076
ALT-PU-2022-1683
ALT-PU-2022-3177
ALT-PU-2022-3214
ALT-PU-2022-3218
BDU:2021-05977
CVE-2021-25281
DLA-2815-1
DSA-5011-1
GHSA-XXW3-765M-F37P
OPENSUSE-SU-2021:0347-1
OPENSUSE-SU-2021_0347-1
OPENSUSE-SU-2024:11364-1
PYSEC-2021-50
SUSE-RU-2021:0632-1
SUSE-RU-2021:0633-1
SUSE-SU-2021:0624-1
SUSE-SU-2021:0626-1
SUSE-SU-2021:0627-1
SUSE-SU-2021:0628-1
SUSE-SU-2021:0630-1
SUSE-SU-2021:0631-1
SUSE-SU-2021:0914-1
SUSE-SU-2021:0915-1
SUSE-SU-2021:14650-1
SUSE-SU-2021:1690-1
SUSE-SU-2021_0627-1
SUSE-SU-2021_0628-1
SUSE-SU-2021_0630-1
SUSE-SU-2021_0631-1
SUSE-SU-2021_14650-1
SUSE-SU-2021_14682-1
USN-6948-1

Affected Products

Alt Linux
Saltstack Salt
Suse
Ubuntu