CVE-2021-22004

CWE-362 — Race Condition CWE-287 — Improper Authentication6 documents5 sources

Severity

6.4MEDIUM

EPSS

0.1%

top 83.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt Fedoraproject Fedora

Timeline

PublishedSep 8

Latest updateMay 24

Description

An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages3 packages

▶NVDsaltstack/salt< 3000.3

▶CVEListV5saltstack_saltSaltstack Salt (before 3003.3)

▶PyPIsalt< 3003.3

Also affects: Fedora 33, 34, 35

Patches

Patch: saltproject.io ↗Patch: saltproject.io ↗

🔴Vulnerability Details

GHSA

Improper Authentication in SaltStack Salt↗2022-05-24

▶

OSV

Improper Authentication in SaltStack Salt↗2022-05-24

▶

CVEList

CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003↗2021-09-08

▶

OSV

CVE-2021-22004: An issue was discovered in SaltStack Salt before 3003↗2021-09-08

▶

📋Vendor Advisories

Red Hat

salt: allows malacious actor to subvert the proper behaviour of the given minion software↗2021-09-02

▶