CVE-2021-25282

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions SaltStack Salt versions prior to 3002.5

Description An issue was discovered in SaltStack Salt, where the salt.wheel.pillar roots.write method is vulnerable to directory traversal. This vulnerability is related to incorrect restriction of the path name to a directory with limited access. Exploitation of this issue may allow a remote attacker to disclose protected information using a specially crafted HTTP request.

Recommendations For versions prior to 3002.5, update to version 3002.5 or later to resolve the issue. As a temporary workaround, consider disabling the salt.wheel.pillar roots.write method until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2016-2317

ALT-PU-2017-2801

ALT-PU-2018-2416

ALT-PU-2019-2322

ALT-PU-2019-2359

ALT-PU-2021-1590

ALT-PU-2021-1591

ALT-PU-2021-1982

ALT-PU-2022-3218

BDU:2022-07060

CVE-2021-25282

DLA-2480-2

DLA-2815-1

DSA-5011-1

GHSA-76X4-X3P6-RPR9

OPENSUSE-SU-2021:0347-1

OPENSUSE-SU-2021_0347-1

PYSEC-2021-51

SUSE-RU-2021:0632-1

SUSE-RU-2021:0633-1

SUSE-SU-2021:0624-1

SUSE-SU-2021:0626-1

SUSE-SU-2021:0627-1

SUSE-SU-2021:0628-1

SUSE-SU-2021:0630-1

SUSE-SU-2021:0631-1

SUSE-SU-2021:0914-1

SUSE-SU-2021:0915-1

SUSE-SU-2021:14650-1

SUSE-SU-2021:1690-1

SUSE-SU-2021_14650-1

SUSE-SU-2021_14682-1

USN-6948-1

Affected Products

Alt Linux

Saltstack Salt

Suse

Ubuntu

CVE-2021-25282

Weakness Enumeration

Related Identifiers

Affected Products

References · 100