CVE-2021-25281

Critical

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client.…

mitre·CWE-287·Published 2021-02-27

CVSS

9.8

EPSS

0.73

KEV

Exploits

Vendor statements (6)

cve.orgen

202 chars

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

OSV.deven

202 chars

GHSAen

202 chars

NVDes

256 chars

Se detectó un problema por medio de SaltStack Salt versiones anteriores a 3002.5. salt-api no respeta las credenciales de eauth para el cliente wheel_async. Por lo tanto, un atacante puede ejecutar remotamente cualquier módulo wheel en el maestro

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H