CVE-2021-25284

Published: Feb 27, 2021Modified: Nov 21, 2024

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability: 0.8 / Impact: 3.6

Source: NVD

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

Affected (21)

Products: Saltstack: Salt · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Before 2015.8.10
Saltstack Salt	From 2015.8.11 to 2015.8.13
Saltstack Salt	From 2016.11.4 to 2016.11.5
Saltstack Salt	From 2016.11.7 to 2016.11.10
Saltstack Salt	From 2016.3.0 to 2016.3.4
Saltstack Salt	From 2016.3.5 to 2016.3.6
Saltstack Salt	From 2016.3.7 to 2016.3.8
Saltstack Salt	From 2016.3.9 to 2016.11.3
Saltstack Salt	From 2017.5.0 to 2017.7.8
Saltstack Salt	From 2018.2.0 to 2018.3.5
Saltstack Salt	From 2019.2.0 to 2019.2.5
Saltstack Salt	From 2019.2.6 to 2019.2.8
Saltstack Salt	From 3000 to 3000.6
Saltstack Salt	From 3001 to 3001.4
Saltstack Salt	From 3002 to 3002.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (20)

https://github.com/saltstack/salt/releases

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: cve@mitre.org

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: cve@mitre.org

Third Party Advisory

https://github.com/saltstack/salt/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.