CVE-2021-25284

CWE-522Insufficiently Protected CredentialsCWE-532Log File Information ExposureCWE-312Cleartext Storage of Sensitive Info7 documents6 sources
Severity
4.4MEDIUM
EPSS
0.0%
top 94.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Saltstack SaltDebian Debian LinuxFedoraproject Fedora
Timeline
PublishedFeb 27
Latest updateAug 8

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

NVDsaltstack/salt2015.8.112015.8.13+14
PyPIsalt2016.3.02016.11.5+22

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 32, 33, 34

🔴Vulnerability Details

4
GHSA
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod2022-05-24
OSV
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod2022-05-24
CVEList
CVE-2021-25284: An issue was discovered in through SaltStack Salt before 30022021-02-27
OSV
CVE-2021-25284: An issue was discovered in through SaltStack Salt before 30022021-02-27

📋Vendor Advisories

2
Ubuntu
Salt vulnerabilities2024-08-08
Red Hat
salt: webutils write passwords in cleartext to /var/log/salt/minion2021-02-25
CVE-2021-25284 (MEDIUM CVSS 4.4) | An issue was discovered in through | cvebase.io