First published: Sat Feb 27 2021(Updated: )
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
SaltStack Salt | <2015.8.10 | |
SaltStack Salt | >=2015.8.11<2015.8.13 | |
SaltStack Salt | >=2016.3.0<2016.3.4 | |
SaltStack Salt | >=2016.3.5<2016.3.6 | |
SaltStack Salt | >=2016.3.7<2016.3.8 | |
SaltStack Salt | >=2016.3.9<2016.11.3 | |
SaltStack Salt | >=2016.11.4<2016.11.5 | |
SaltStack Salt | >=2016.11.7<2016.11.10 | |
SaltStack Salt | >=2017.5.0<2017.7.8 | |
SaltStack Salt | >=2018.2.0<=2018.3.5 | |
SaltStack Salt | >=2019.2.0<2019.2.5 | |
SaltStack Salt | >=2019.2.6<2019.2.8 | |
SaltStack Salt | >=3000<3000.6 | |
SaltStack Salt | >=3001<3001.4 | |
SaltStack Salt | >=3002<3002.5 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
SaltStack Salt | <3002.2<3001.4<3000.6<2019.2.8<2019.2.5<2018.3.5<2017.7.8<2016.11.10<2016.11.6<2016.11.5<2016.11.3<2016.3.8<2016.3.6<2016.3.4<2015.8.13<2015.8.10<3002.5<3001.6<3000.8<3002.5<3001.6<3000.8 | 3002.2 3001.4 3000.6 2019.2.8 2019.2.5 2018.3.5 2017.7.8 2016.11.10 2016.11.6 2016.11.5 2016.11.3 2016.3.8 2016.3.6 2016.3.4 2015.8.13 2015.8.10 3002.5 3001.6 3000.8 3002.5 3001.6 3000.8 |
pip/salt | >=3002<3002.5 | 3002.5 |
pip/salt | >=3001<3001.5 | 3001.5 |
pip/salt | >=3000<3000.7 | 3000.7 |
pip/salt | >=2019.2.0<2019.2.8 | 2019.2.8 |
pip/salt | >=2018.2.0<=2018.3.5 | |
pip/salt | >=2017.5.0<2017.7.8 | 2017.7.8 |
pip/salt | >=2016.11.7<2016.11.10 | 2016.11.10 |
pip/salt | >=2016.3.0<2016.11.5 | 2016.11.5 |
pip/salt | <2015.8.13 | 2015.8.13 |
debian/salt | ||
ubuntu/salt | <2017.7.4+dfsg1-1ubuntu18.04.2+ | 2017.7.4+dfsg1-1ubuntu18.04.2+ |
ubuntu/salt | <2015.8.8+ | 2015.8.8+ |
Update to the latest Salt release, package or patch file
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-25283 is a vulnerability in SaltStack Salt before version 3002.5 that allows server-side template injection attacks.
CVE-2021-25283 has a severity rating of 9.8 (critical).
SaltStack Salt versions 2018.3.4+dfsg1-6+deb10u3, 3002.6+dfsg1-4+deb11u1, and 3004.1+dfsg-2.2 are affected by CVE-2021-25283.
To fix CVE-2021-25283, update SaltStack Salt to version 3002.5 or later.
You can find more information about CVE-2021-25283 at the following references: [Link 1](https://github.com/saltstack/salt/releases), [Link 2](https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html), [Link 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/).