CVE-2021-25283

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SaltStack Salt versions prior to 3002.5

Description An issue was discovered in SaltStack Salt where the jinja renderer does not protect against server-side template injection attacks. This could allow a remote attacker to execute arbitrary code due to errors in input validation.

Recommendations For versions prior to 3002.5, update to version 3002.5 or later to resolve the issue. As a temporary workaround, consider disabling the jinja renderer until a patch is available. Restrict access to the wheel.pillar roots.write component to minimize the risk of exploitation. Avoid using the jinja renderer for rendering untrusted templates until the issue is resolved.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2016-2317

ALT-PU-2017-2801

ALT-PU-2018-2416

ALT-PU-2019-2322

ALT-PU-2019-2359

ALT-PU-2021-1590

ALT-PU-2021-1591

ALT-PU-2021-1982

ALT-PU-2022-3218

BDU:2021-06348

CVE-2021-25283

DLA-2815-1

DSA-5011-1

GHSA-XGMH-GFXW-2HVV

OPENSUSE-SU-2021:0347-1

OPENSUSE-SU-2021_0347-1

PYSEC-2021-52

SUSE-RU-2021:0632-1

SUSE-RU-2021:0633-1

SUSE-SU-2021:0624-1

SUSE-SU-2021:0626-1

SUSE-SU-2021:0627-1

SUSE-SU-2021:0628-1

SUSE-SU-2021:0630-1

SUSE-SU-2021:0631-1

SUSE-SU-2021:0914-1

SUSE-SU-2021:0915-1

SUSE-SU-2021:14650-1

SUSE-SU-2021:1690-1

SUSE-SU-2021_14650-1

SUSE-SU-2021_14682-1

USN-6948-1

Affected Products

Alt Linux

Saltstack Salt

Suse

Ubuntu

CVE-2021-25283

Weakness Enumeration

Related Identifiers

Affected Products

References · 88