Bug 1945077 (CVE-2021-25315)
Summary: | CVE-2021-25315 salt: salt-api unauthenticated remote code exec | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | amctagga, anharris, bniver, brycel, david-dm.murphy, flucifre, frederic.pierret, gmeno, hvyas, kp, mbenjamin, mhackett, sostapov, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Salt. This issue is caused by an incorrect implementation of the authentication algorithm, where openSUSE Tumbleweed allows local attackers to execute arbitrary code via Salt without the need to specify valid credentials in Salt versions before 3002.2-3. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-04-01 23:35:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1945080 | ||
Bug Blocks: | 1945079 |
Description
Dhananjay Arunesh
2021-03-31 10:21:51 UTC
Created salt tracking bugs for this issue: Affects: fedora-all [bug 1945080] Modifying score to match NIST, as the attacker must be a user of the SUSE Linux Enterprise Sever 15 SP 3 External References: https://bugzilla.suse.com/show_bug.cgi?id=1182382 that bug has Status: RESOLVED FIXED This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25315 |