QID 376109

Date Published: 2021-12-02

QID 376109: SaltStack Salt Minion Multiple Vulnerabilities

The Salt Project is an approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.

Affected Versions:
SaltStack Salt Minion 3003.x prior to 3003.3
SaltStack Salt Minion 3002.x prior to 3002.7
SaltStack Salt Minion 3001.x prior to 3001.8
SaltStack Salt Minion 3000.x and earlier

QID Detection Logic:
This authenticated QID detects vulnerable salt-minion versions by running the following command: salt-minion --version

A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

CVSS V3 rated as Critical - 8.1 severity.

CVSS V2 rated as High - 7.6 severity.

Solution

Customers are advised upgrade to the versions of SaltStack 3001.8, SaltStack 3002.7, SaltStack 3003.3

Vendor References

SaltStack advisory - saltproject.io/security_announcements/salt-security-advisory-2021-sep-02

CVEs related to QID 376109

CVE-2021-21996 | CVE-2021-31607 |

Software Advisories

Advisory ID	Software	Component	Link
SaltStack advisory			saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].