CVE-2021-3144

Published: Feb 27, 2021Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

Affected (21)

Products: Saltstack: Salt · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Before 2015.8.10
Saltstack Salt	From 2015.8.11 to 2015.8.13
Saltstack Salt	From 2016.11.4 to 2016.11.5
Saltstack Salt	From 2016.11.7 to 2016.11.10
Saltstack Salt	From 2016.3.0 to 2016.3.4
Saltstack Salt	From 2016.3.5 to 2016.3.6
Saltstack Salt	From 2016.3.7 to 2016.3.8
Saltstack Salt	From 2016.3.9 to 2016.11.3
Saltstack Salt	From 2017.5.0 to 2017.7.8
Saltstack Salt	From 2018.2.0 to 2018.3.5
Saltstack Salt	From 2019.2.0 to 2019.2.5
Saltstack Salt	From 2019.2.6 to 2019.2.8
Saltstack Salt	From 3000 to 3000.6
Saltstack Salt	From 3001 to 3001.4
Saltstack Salt	From 3002 to 3002.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (18)

https://github.com/saltstack/salt/releases

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: cve@mitre.org

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: cve@mitre.org

Third Party Advisory

https://github.com/saltstack/salt/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202103-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gentoo.org/glsa/202310-22

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2021/dsa-5011

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.