fkie_nvd - fkie_cve-2021-3144

fkie_cve-2021-3144

Vulnerability from fkie_nvd

Published

2021-02-27 05:15

Modified

2024-11-21 06:20

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

References

URL	Tags
cve@mitre.org	https://github.com/saltstack/salt/releases	Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/	Mailing List, Third Party Advisory
cve@mitre.org	https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/	Vendor Advisory
cve@mitre.org	https://security.gentoo.org/glsa/202103-01	Third Party Advisory
cve@mitre.org	https://security.gentoo.org/glsa/202310-22	Third Party Advisory
cve@mitre.org	https://www.debian.org/security/2021/dsa-5011	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/saltstack/salt/releases	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202103-01	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202310-22	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2021/dsa-5011	Third Party Advisory

Impacted products

Vendor	Product	Version
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
saltstack	salt	*
fedoraproject	fedora	32
fedoraproject	fedora	33
fedoraproject	fedora	34
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F9405E3-F2B0-41BA-A39D-61BB38475A59",
              "versionEndExcluding": "2015.8.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A35C23D3-82D4-46E7-BF08-9229C04C0C3D",
              "versionEndExcluding": "2015.8.13",
              "versionStartIncluding": "2015.8.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4741BD5-4C40-48BC-A2C1-E6AB33818201",
              "versionEndExcluding": "2016.3.4",
              "versionStartIncluding": "2016.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D28A2B5-316A-45DC-AC85-A0F743C4B3C4",
              "versionEndExcluding": "2016.3.6",
              "versionStartIncluding": "2016.3.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "17C96153-85C1-45DC-A48B-46A3900246E2",
              "versionEndExcluding": "2016.3.8",
              "versionStartIncluding": "2016.3.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67FBC561-336A-4F25-B347-C4CA029B6E30",
              "versionEndExcluding": "2016.11.3",
              "versionStartIncluding": "2016.3.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5E17739-655C-4FAC-A73B-985132B32C73",
              "versionEndExcluding": "2016.11.5",
              "versionStartIncluding": "2016.11.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "11D84847-0C8A-473A-9186-46FABD7BB59A",
              "versionEndExcluding": "2016.11.10",
              "versionStartIncluding": "2016.11.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3721B047-2595-4E79-8FDD-B1224FC0DD2C",
              "versionEndExcluding": "2017.7.8",
              "versionStartIncluding": "2017.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB8FA088-6AAD-46DF-884C-7362CB4BE430",
              "versionEndIncluding": "2018.3.5",
              "versionStartIncluding": "2018.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7A2912C-7F48-465D-B7F2-93ECD0D0CB74",
              "versionEndExcluding": "2019.2.5",
              "versionStartIncluding": "2019.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40369149-A5C3-4759-844F-3510559397C5",
              "versionEndExcluding": "2019.2.8",
              "versionStartIncluding": "2019.2.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "906D2835-186A-455E-84EB-E982564B9CBD",
              "versionEndExcluding": "3000.6",
              "versionStartIncluding": "3000",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F0E0DA3-49F7-4938-9FBD-F3680B1BDBB6",
              "versionEndExcluding": "3001.4",
              "versionStartIncluding": "3001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B757DF0-6490-4FE7-9C98-5D8C700A4377",
              "versionEndExcluding": "3002.5",
              "versionStartIncluding": "3002",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
              "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)"
    },
    {
      "lang": "es",
      "value": "En SaltStack Salt versiones anteriores a 3002.5, los tokens de eauth pueden ser usados una vez despu\u00e9s de su vencimiento.\u0026#xa0;(Pueden ser usados para ejecutar un comando contra el maestro de sal o los minions)"
    }
  ],
  "id": "CVE-2021-3144",
  "lastModified": "2024-11-21T06:20:58.993",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-27T05:15:14.113",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/saltstack/salt/releases"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202103-01"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202310-22"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-5011"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/saltstack/salt/releases"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202103-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202310-22"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-5011"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2021-3144 (GCVE-0-2021-3144)

Vulnerability from cvelistv5

Published

2021-02-27 00:00