← Back

CVE-2021-3148

nvd nist
Published: Feb 27, 2021Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.

Affected (21)

Saltstack
1 product
Salt
Fedoraproject
1 product
Fedora
Debian
1 product
Debian Linux
Configuration A
15 vulnerable
Vulnerable SoftwareAffected Versions
Saltstack
Salt
Before 2015.8.10
Salt
From 2015.8.11 to 2015.8.13
Salt
From 2016.11.4 to 2016.11.5
Salt
From 2016.11.7 to 2016.11.10
Salt
From 2016.3.0 to 2016.3.4
Salt
From 2016.3.5 to 2016.3.6
Salt
From 2016.3.7 to 2016.3.8
Salt
From 2016.3.9 to 2016.11.3
Salt
From 2017.5.0 to 2017.7.8
Salt
From 2018.2.0 to 2018.3.5
Salt
From 2019.2.0 to 2019.2.5
Salt
From 2019.2.6 to 2019.2.8
Salt
From 3000 to 3000.6
Salt
From 3001 to 3001.4
Salt
From 3002 to 3002.5
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 32
Fedora
Version 33
Fedora
Version 34
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0
Debian Linux
Version 9.0

Related CWEs

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (18)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.