Lucene search

K
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2021-25281
HistoryFeb 27, 2021 - 5:15 a.m.

CVE-2021-25281

2021-02-2705:15:00
Debian Security Bug Tracker
security-tracker.debian.org
10

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.874 High

EPSS

Percentile

98.6%

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

OSVersionArchitecturePackageVersionFilename
Debian11allsalt< 3002.5+dfsg1-1salt_3002.5+dfsg1-1_all.deb
Debian10allsalt< 2018.3.4+dfsg1-6+deb10u3salt_2018.3.4+dfsg1-6+deb10u3_all.deb
Debian999allsalt< 3002.5+dfsg1-1salt_3002.5+dfsg1-1_all.deb

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.874 High

EPSS

Percentile

98.6%