CVE-2021-25281

unknown

Published 2022-05-24 · Modified 2024-04-22

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

—

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-25281.html

OS impact

OS	Version	Status	Fixed in
sles		affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	salt	`<2015.8.13`	`2015.8.13`
PyPI	salt	`>=2016.3.0,<2016.11.5`	`2016.11.5`
PyPI	salt	`>=2016.11.7,<2016.11.10`	`2016.11.10`
PyPI	salt	`>=2017.5.0,<2017.7.8`	`2017.7.8`
PyPI	salt	`>=2018.2.0,<=2018.3.5`
PyPI	salt	`>=2019.2.0,<2019.2.8`	`2019.2.8`
PyPI	salt	`>=3000,<3000.7`	`3000.7`
PyPI	salt	`>=3001,<3001.5`	`3001.5`
PyPI	salt	`>=3002,<3002.3`	`3002.3`
PyPI	salt	`>=3002,<3002.5`	`2015.8.10`

References

Verify integrity in audit chain (admin only). AS-IS.