Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-3197

Опубликовано: 27 фев. 2021
Источник: debian

Описание

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
saltfixed3002.5+dfsg1-1package
saltfixed2018.3.4+dfsg1-6+deb10u3busterpackage

Примечания

  • https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

  • https://github.com/saltstack/salt/commit/5273722c2180c394bc426f731450b95809ca952e (v3002.3)

  • https://github.com/saltstack/salt/commit/039b7f3f5713170799363d96e6263c2809e4245c (v3002.3)

  • Regression: https://github.com/saltstack/salt/pull/59664

  • Regression fix: https://github.com/saltstack/salt/commit/51f350fcdf4b14e4f16cedabd743ca23c574a186

  • Regression follow-up: https://github.com/saltstack/salt/pull/59748

  • Regression follow-up fix: https://github.com/saltstack/salt/commit/61d74a7e3bc4dfd6f16a7f123e76d0824059217d

Связанные уязвимости

ubuntu логотип

CVE-2021-3197

CVSS3: 9.8
ubuntu
почти 5 лет назад

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

redhat логотип

CVE-2021-3197

CVSS3: 7.5
redhat
почти 5 лет назад

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

nvd логотип

CVE-2021-3197

CVSS3: 9.8
nvd
почти 5 лет назад

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

github логотип

GHSA-8rp6-x3r7-5qw3

CVSS3: 9.8
github
больше 3 лет назад

SaltStack Salt is vulnerable to shell injection via ProxyCommand argument

fstec логотип

BDU:2021-06345

CVSS3: 9.8
fstec
почти 5 лет назад

Уязвимость системы управления конфигурациями и удалённого выполнения операций SaltStack Salt, позволяющая нарушителю выполнять произвольные команды с повышенными привилегиями