CVE-2021-3144
CRITICAL severity · CVSS 9.1 · CWE-613
9.1CVSS CRITICAL
Summary
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactNone
Exploit probability (EPSS)5%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/Advisory
- https://github.com/saltstack/salt/releasesAdvisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlAdvisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/Advisory
- https://security.gentoo.org/glsa/202103-01Advisory
- https://security.gentoo.org/glsa/202310-22Advisory