CVE-2021-22004
published 2021-09-08CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in…
PriorityP427medium6.4CVSS 3.1
AVLACHPRHUINSUCHIHAH
EPSS
0.35%
27.2th percentile
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| saltstack | salt | < 3000.3 | 3000.3 |
| saltstack | salt | >= 0 < 3003.3 | 3003.3 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Authentication in SaltStack Salt
ghsa·2022-05-24
CVE-2021-22004 [HIGH] CWE-287 Improper Authentication in SaltStack Salt
Improper Authentication in SaltStack Salt
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
OSV
Improper Authentication in SaltStack Salt
osv·2022-05-24
CVE-2021-22004 [HIGH] Improper Authentication in SaltStack Salt
Improper Authentication in SaltStack Salt
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
OSV
CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003
osv·2021-09-08
CVE-2021-22004 CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
Red Hat
salt: allows malacious actor to subvert the proper behaviour of the given minion software
vendor_redhat·2021-09-02·CVSS 6.4
CVE-2021-22004 [MEDIUM] CWE-287 salt: allows malacious actor to subvert the proper behaviour of the given minion software
salt: allows malacious actor to subvert the proper behaviour of the given minion software
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
An improper authentication flaw was found in SaltStack salt before version 3003.3. The Salt minion installer accepts and uses a minion config file at C:\salt\conf if that file is in place before the installer is run. This flaw allows a malicious actor to subvert the proper behavior of the given minion software.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/
2021-09-08
Published