PT-2023-12201 · Saltstack+1 · Saltstack+1

Gabriele Sonnu

Published

2021-06-28

Updated

2025-03-18

CVE-2021-33226

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Saltstack versions 3003 and before

Description The issue allows an attacker to execute arbitrary code via the func variable in the salt/salt/modules/status.py file. This is a Buffer Overflow vulnerability. Note that there is a dispute regarding the vulnerability, as some parties claim an attacker cannot influence the eval input.

Recommendations For Saltstack versions 3003 and before, consider disabling the func variable in the salt/salt/modules/status.py file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-120

Related Identifiers

ALT-PU-2021-2076

ALT-PU-2022-1683

ALT-PU-2022-3218

CVE-2021-33226

PYSEC-2023-47

Affected Products

Alt Linux

Saltstack

PT-2023-12201 · Saltstack+1 · Saltstack+1

CVE-2021-33226

Weakness Enumeration

Related Identifiers

Affected Products

References · 65