CVE-2021-25284
published 2021-02-27CVE-2021-25284: An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PriorityP416medium4.4CVSS 3.1
AVLACLPRHUINSUCNIHAN
EPSS
0.54%
41.2th percentile
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| saltstack | salt | < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm2 | 2015.8.8+ds-1ubuntu0.1+esm2 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 | 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
salt vulnerabilities
osv·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a t
GHSA
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
ghsa·2022-05-24
CVE-2021-25284 [MEDIUM] CWE-312 SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
An issue was discovered in through SaltStack Salt before 3002.5. `salt.modules.cmdmod` can log credentials to the info or error log level.
OSV
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
osv·2022-05-24
CVE-2021-25284 [MEDIUM] SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
An issue was discovered in through SaltStack Salt before 3002.5. `salt.modules.cmdmod` can log credentials to the info or error log level.
OSV
CVE-2021-25284: An issue was discovered in through SaltStack Salt before 3002
osv·2021-02-27
CVE-2021-25284 CVE-2021-25284: An issue was discovered in through SaltStack Salt before 3002
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates.
Red Hat
salt: webutils write passwords in cleartext to /var/log/salt/minion
vendor_redhat·2021-02-25·CVSS 4.4
CVE-2021-25284 [MEDIUM] CWE-312 salt: webutils write passwords in cleartext to /var/log/salt/minion
salt: webutils write passwords in cleartext to /var/log/salt/minion
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
A flaw was found in salt. Webutils write passwords in cleartext to /var/log/salt/minion.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011https://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011
2021-02-27
Published