salt-api unauthenticated remote code execution

CVE-2021-25315

9.8CRITICAL

Key Information

Vendor: Suse
Status: Suse Linux Enterprise Server 15 Sp 3; Tumbleweed
Vendor: CVE Published:; 3 March 2021

Summary

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.

Affected Version(s)

SUSE Linux Enterprise Server 15 SP 3 < 3002.2-3

Tumbleweed <= 3002.2-2.1

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 7.8 to: 9.8 - (CRITICAL)
Feb 22, 2024
Vulnerability published.
Mar 3, 2021
Vulnerability Reserved.
Jan 19, 2021

Collectors

NVD DatabaseMitre Database