Vulnerability Details : CVE-2021-3144
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
Products affected by CVE-2021-3144
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
- cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3144
6.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3144
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2021-3144
-
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3144
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
[SECURITY] Fedora 33 Update: salt-3002.5-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
[SECURITY] Fedora 34 Update: salt-3002.5-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202103-01
Salt: Multiple vulnerabilities (GLSA 202103-01) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
[SECURITY] Fedora 33 Update: salt-3002.5-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-5011
Debian -- Security Information -- DSA-5011-1 saltThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
[SECURITY] Fedora 32 Update: salt-3001.6-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
Active SaltStack CVE Release 2021-FEB-25 – Salt ProjectVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
[SECURITY] Fedora 34 Update: salt-3002.5-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
[SECURITY] [DLA 2815-1] salt security updateMailing List;Third Party Advisory
-
https://github.com/saltstack/salt/releases
Releases · saltstack/salt · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
[SECURITY] Fedora 32 Update: salt-3001.6-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202310-22
Salt: Multiple Vulnerabilities (GLSA 202310-22) — Gentoo securityThird Party Advisory
Jump to