CVE-2021-25315Improper Authentication in Linux Enterprise Server 15 SP 3

CWE-287Improper AuthenticationCWE-94Code InjectionCWE-303Incorrect Implementation of Authentication Algorithm6 documents5 sources
Severity
7.8HIGHNVD
CNA9.8
EPSS
0.2%
top 55.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Suse Linux Enterprise Server 15 SP 3Saltstack SaltOpensuse Tumbleweed
Timeline
PublishedMar 3
Latest updateMay 24

Description

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5suse/suse_linux_enterprise_server_15_sp_3salt3002.2-3
CVEListV5opensuse/tumbleweedsalt3002.2-2.1
NVDsaltstack/salt< 3002.2
PyPIsaltstack/salt< 3002.2

🔴Vulnerability Details

4
OSV
Saltstack Salt Unauthenticated Arbitrary Code Execution2022-05-24
GHSA
Saltstack Salt Unauthenticated Arbitrary Code Execution2022-05-24
OSV
CVE-2021-25315: CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute ar2021-03-03
CVEList
salt-api unauthenticated remote code execution2021-03-03

📋Vendor Advisories

1
Red Hat
salt: salt-api unauthenticated remote code exec2021-02-17