← Back

CVE-2021-3197

nvd nist
Published: Feb 27, 2021Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.

Affected (21)

Saltstack
1 product
Salt
Fedoraproject
1 product
Fedora
Debian
1 product
Debian Linux
Configuration A
15 vulnerable
Vulnerable SoftwareAffected Versions
Saltstack
Salt
Before 2015.8.10
Salt
From 2015.8.11 to 2015.8.13
Salt
From 2016.11.4 to 2016.11.5
Salt
From 2016.11.7 to 2016.11.10
Salt
From 2016.3.0 to 2016.3.4
Salt
From 2016.3.5 to 2016.3.6
Salt
From 2016.3.7 to 2016.3.8
Salt
From 2016.3.9 to 2016.11.3
Salt
From 2017.5.0 to 2017.7.8
Salt
From 2018.2.0 to 2018.3.5
Salt
From 2019.2.0 to 2019.2.5
Salt
From 2019.2.6 to 2019.2.8
Salt
From 3000 to 3000.6
Salt
From 3001 to 3001.4
Salt
From 3002 to 3002.5
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 32
Fedora
Version 33
Fedora
Version 34
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0
Debian Linux
Version 9.0

Related CWEs

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (20)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.