CVE-2021-22004

An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.

Published: Sep 8, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-22004
GHSA: GHSA-xf37-qcvf-7m57
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.4
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.4
AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-287
CWE-362

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
saltstack / salt	-	3000.3
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
salt	-	3003.3

https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-346.yaml
https://lists.fedoraproject.org/archives/list/[email protected]/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/
https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/

Vulnerability Database

289,697

CVE-2021-22004