salt-api unauthenticated remote code execution
CVE-2021-25315

9.8CRITICAL

Key Information:

Vendor: Suse
Status: Suse Linux Enterprise Server 15 Sp 3; Tumbleweed
Vendor: CVE Published:; 3 March 2021

Summary

CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.

Affected Version(s)

SUSE Linux Enterprise Server 15 SP 3 salt < 3002.2-3

Tumbleweed salt <= 3002.2-2.1

References

https://bugzilla.suse.com/show_bug.cgi?id=1182382

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2021
Vulnerability Reserved
Jan 19, 2021