CVE-2021-3148
published 2021-02-27CVE-2021-3148: An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.25%
94.2th percentile
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| saltstack | salt | < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm2 | 2015.8.8+ds-1ubuntu0.1+esm2 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 | 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.4 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.7 < 2016.3.8 | 2016.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Command injection via crafted web requests to the Salt API targeting salt.utils.thin.gen_thin(), exploiting json.dumps() escaping double quotes while leaving single quotes untouched ↗
- →Monitor Salt API HTTP requests for payloads containing unescaped single quotes, which may indicate exploitation of the quote-handling discrepancy in salt/utils/thin.py ↗
- →Focus detection on the file salt/utils/thin.py and the gen_thin() function for anomalous subprocess or shell execution activity ↗
- ·Vulnerability affects SaltStack Salt versions before 3002.5; ensure patched versions are not flagged as vulnerable ↗
- ·Red Hat Ceph Storage 2 package 'salt' is out of support scope and will not receive a patch from Red Hat ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates.
Red Hat
salt: Command injection in salt.utils.thin.gen_thin()
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-3148 [CRITICAL] CWE-77 salt: Command injection in salt.utils.thin.gen_thin()
salt: Command injection in salt.utils.thin.gen_thin()
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
A flaw was found in salt. Command injection using the SaltAPI, is possible due to json.dumps() escaping double quotes while leaving the single quotes untouched. The highest threat from this vulnerability is to data confidentiality and integrity.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
OSV
salt vulnerabilities
osv·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a t
OSV
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
osv·2022-05-24
CVE-2021-3148 [CRITICAL] SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in `salt.utils.thin.gen_thin()` command injection because of different handling of single versus double quotes. This is related to `salt/utils/thin.py`.
GHSA
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
ghsa·2022-05-24
CVE-2021-3148 [CRITICAL] CWE-77 SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in `salt.utils.thin.gen_thin()` command injection because of different handling of single versus double quotes. This is related to `salt/utils/thin.py`.
OSV
CVE-2021-3148: An issue was discovered in SaltStack Salt before 3002
osv·2021-02-27
CVE-2021-3148 CVE-2021-3148: An issue was discovered in SaltStack Salt before 3002
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011https://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/https://security.gentoo.org/glsa/202103-01https://security.gentoo.org/glsa/202310-22https://www.debian.org/security/2021/dsa-5011
2021-02-27
Published