CVE-2021-25315 salt-api unauthenticated remote code execution

2021-03-0309:55:16

CWE-287

suse

www.cve.org

cve-2021-25315

salt-api

suse linux enterprise server 15 sp 3

opensuse tumbleweed

remote code execution

cwe-287

improper authentication vulnerability

arbitrary code execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

Percentile

14.2%

JSON

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.

CNA Affected

[
  {
    "vendor": "SUSE",
    "product": "SUSE Linux Enterprise Server 15 SP 3",
    "versions": [
      {
        "version": "salt",
        "status": "affected",
        "lessThan": "3002.2-3",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "openSUSE",
    "product": "Tumbleweed",
    "versions": [
      {
        "version": "salt",
        "status": "affected",
        "lessThanOrEqual": "3002.2-2.1",
        "versionType": "custom"
      }
    ]
  }
]