CVE-2021-25315
published 2021-03-03CVE-2021-25315: CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
2.33%
81.4th percentile
CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensuse | tumbleweed | salt – 3002.2-2.1 | — |
| saltstack | salt | < 3002.2 | 3002.2 |
| saltstack | salt | >= 0 < 3002.2 | 3002.2 |
| suse | suse_linux_enterprise_server_15_sp_3 | >= salt < 3002.2-3 | 3002.2-3 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Saltstack Salt Unauthenticated Arbitrary Code Execution
osv·2022-05-24
CVE-2021-25315 [HIGH] Saltstack Salt Unauthenticated Arbitrary Code Execution
Saltstack Salt Unauthenticated Arbitrary Code Execution
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
GHSA
Saltstack Salt Unauthenticated Arbitrary Code Execution
ghsa·2022-05-24
CVE-2021-25315 [HIGH] CWE-287 Saltstack Salt Unauthenticated Arbitrary Code Execution
Saltstack Salt Unauthenticated Arbitrary Code Execution
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
OSV
CVE-2021-25315: CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute ar
osv·2021-03-03
CVE-2021-25315 CVE-2021-25315: CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute ar
CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
Red Hat
salt: salt-api unauthenticated remote code exec
vendor_redhat·2021-02-17·CVSS 9.8
CVE-2021-25315 [CRITICAL] CWE-94 salt: salt-api unauthenticated remote code exec
salt: salt-api unauthenticated remote code exec
CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
A flaw was found in Salt. This issue is caused by an incorrect implementation of the authentication algorithm, where openSUSE Tumbleweed allows local attackers to execute arbitrary code via Salt without the need to specify
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-03
Published