VDB
CVE-2021-25282
CVE-2021-25282
PUBLISHED
An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
EPSS 91.29% · 99.7th percentile
Risk Scores
EPSS Score
91.29%
99.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | salt | *, 2015.8.7+ds-1, * |
| Ubuntu:Pro:18.04:LTS | salt | 2016.11.5+ds-1, 2016.11.8+dfsg1-1, 2017.7.3+dfsg1-1 |
| Ubuntu:22.04:LTS | salt | *, 0, 3002.7+dfsg1-1 |
| Ubuntu:Pro:14.04:LTS | salt | 0.17.5+ds-1, 0.17.5+ds-1ubuntu0.1~esm1, 0.17.5+ds-1ubuntu0.1~esm4 |
Exploit Intelligence
- http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html (nist-nvd)
- https://github.com/saltstack/salt/releases (circl)
- https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/ (circl)
- https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ (circl)
- FEDORA-2021-904a2dbc0c (circl)
- FEDORA-2021-5756fbf8a6 (circl)
- FEDORA-2021-43eb5584ad (circl)
- GLSA-202103-01 (circl)
- [debian-lts-announce] 20211110 [SECURITY] [DLA 2815-1] salt security update (circl)
- DSA-5011 (circl)
…and 18 more exploits
Timeline
- Feb 26, 2021 CVE Published
- Mar 31, 2021 PoC Published
- Apr 2, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Sep 16, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Nov 20, 2021 EPSS Score
- Jan 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-25282 third-party-advisory
- https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ third-party-advisory
- https://github.com/saltstack/salt/releases third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-25282 third-party-advisory
- https://ubuntu.com/security/notices/USN-6948-1 vendor-advisory