Vulnerability CVE-2021-25284

Vulnerability Name:

CVE-2021-25284 (CCN-197535)

Assigned:

2021-02-25

Published:

2021-02-25

Updated:

2022-07-12

Summary:

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

CVSS v3 Severity:

4.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N)
3.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-532
CWE-522

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-25284

Source: XF
Type: UNKNOWN
saltstack-cve202125284-info-disc(197535)

Source: MISC
Type: Third Party Advisory
https://github.com/saltstack/salt/releases

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20211110 [SECURITY] [DLA 2815-1] salt security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-5756fbf8a6

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-43eb5584ad

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-904a2dbc0c

Source: CCN
Type: SaltStack Web site
Active SaltStack CVE Release 2021-FEB-25

Source: CONFIRM
Type: Vendor Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: GENTOO
Type: Third Party Advisory
GLSA-202103-01

Source: DEBIAN
Type: Third Party Advisory
DSA-5011

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-25284

Vulnerable Configuration:

Configuration 1:

cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2019.2.0 and < 2019.2.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.7 and < 2016.3.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.11.7 and < 2016.11.10)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.5 and < 2016.3.6)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2015.8.11 and < 2015.8.13)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.0 and < 2016.3.4)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version < 2015.8.10)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.3.9 and < 2016.11.3)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2016.11.4 and < 2016.11.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2017.5.0 and < 2017.7.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2018.2.0 and <= 2018.3.5)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 2019.2.6 and < 2019.2.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3000 and < 3000.6)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3001 and < 3001.4)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3002 and < 3002.5)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:saltstack:salt:2016.11.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.4:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2015.8.10:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2015.8.13:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.3.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.3:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2016.11.10:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2017.7.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2018.3.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2019.2.5:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:2019.2.8:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3000.6:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3001.4:*:*:*:*:*:*:*

OR cpe:/a:saltstack:salt:3002.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:622	P	Security update for bind (Important) (in QA)	2022-09-23
oval:org.opensuse.security:def:93157	P	(Important)	2022-07-14
oval:org.opensuse.security:def:93310	P	(Important)	2022-07-06
oval:org.opensuse.security:def:95167	P	salt-transactional-update-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3537	P	salt-transactional-update-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94811	P	python3-salt-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3181	P	python3-salt-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3567	P	kernel-default-extra-5.14.21-150400.22.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95152	P	salt-api-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94679	P	libosinfo-1.7.1-150400.8.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:3522	P	salt-api-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:291	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:99202	P	(Important)	2022-01-25
oval:org.opensuse.security:def:1220	P	Security update for the Linux Kernel (Important)	2021-10-12
oval:org.opensuse.security:def:2283	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101392	P	python3-pywbem-0.11.0-2.21 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63372	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101398	P	salt-api-3002.2-6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62309	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101067	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72050	P	python3-salt-3002.2-6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:99397	P	(Important)	2021-07-20
oval:org.opensuse.security:def:9846	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99007	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:7668	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:93004	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:38434	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70537	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97242	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:64656	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:73778	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99795	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9091	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:95947	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92447	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:108058	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69787	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:49083	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:102788	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:10207	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:8017	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:38449	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:91692	P	Security update for py26-compat-salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97243	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:68757	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:76537	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:100107	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9453	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:95987	P	Security update for py26-compat-salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92646	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:109326	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69986	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:8706	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:20612	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92057	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:97244	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69106	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:42867	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9647	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:96098	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92845	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:109454	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70347	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:99596	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:8896	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:21013	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:92252	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:111237	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:69593	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:42882	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:102660	P	Security update for salt (Critical)	2021-02-26

BACK