CVE-2021-25284 - OpenCVE

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Saltstack	Salt
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::
	cpe:2.3:a:saltstack:salt::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
https://github.com/saltstack/salt/releases	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/	Mailing List Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/	Vendor Advisory
https://security.gentoo.org/glsa/202103-01	Third Party Advisory
https://security.gentoo.org/glsa/202310-22	Third Party Advisory
https://www.debian.org/security/2021/dsa-5011	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-27T00:00:00

Updated: 2023-10-31T13:06:34.088871

Reserved: 2021-01-16T00:00:00

Link: CVE-2021-25284

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-27T05:15:14.037

Modified: 2023-12-21T18:23:44.710

Link: CVE-2021-25284

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-25284", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2023-10-31T13:06:34.088871", "dateReserved": "2021-01-16T00:00:00", "datePublished": "2021-02-27T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-31T13:06:34.088871"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/saltstack/salt/releases"}, {"url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"}, {"name": "FEDORA-2021-904a2dbc0c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/"}, {"name": "FEDORA-2021-5756fbf8a6", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/"}, {"name": "FEDORA-2021-43eb5584ad", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/"}, {"name": "GLSA-202103-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202103-01"}, {"name": "[debian-lts-announce] 20211110 [SECURITY] [DLA 2815-1] salt security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html"}, {"name": "DSA-5011", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-5011"}, {"name": "[debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html"}, {"name": "GLSA-202310-22", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202310-22"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F9405E3-F2B0-41BA-A39D-61BB38475A59", "versionEndExcluding": "2015.8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "A35C23D3-82D4-46E7-BF08-9229C04C0C3D", "versionEndExcluding": "2015.8.13", "versionStartIncluding": "2015.8.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4741BD5-4C40-48BC-A2C1-E6AB33818201", "versionEndExcluding": "2016.3.4", "versionStartIncluding": "2016.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D28A2B5-316A-45DC-AC85-A0F743C4B3C4", "versionEndExcluding": "2016.3.6", "versionStartIncluding": "2016.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "17C96153-85C1-45DC-A48B-46A3900246E2", "versionEndExcluding": "2016.3.8", "versionStartIncluding": "2016.3.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "67FBC561-336A-4F25-B347-C4CA029B6E30", "versionEndExcluding": "2016.11.3", "versionStartIncluding": "2016.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E17739-655C-4FAC-A73B-985132B32C73", "versionEndExcluding": "2016.11.5", "versionStartIncluding": "2016.11.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "11D84847-0C8A-473A-9186-46FABD7BB59A", "versionEndExcluding": "2016.11.10", "versionStartIncluding": "2016.11.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "3721B047-2595-4E79-8FDD-B1224FC0DD2C", "versionEndExcluding": "2017.7.8", "versionStartIncluding": "2017.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB8FA088-6AAD-46DF-884C-7362CB4BE430", "versionEndIncluding": "2018.3.5", "versionStartIncluding": "2018.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7A2912C-7F48-465D-B7F2-93ECD0D0CB74", "versionEndExcluding": "2019.2.5", "versionStartIncluding": "2019.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "40369149-A5C3-4759-844F-3510559397C5", "versionEndExcluding": "2019.2.8", "versionStartIncluding": "2019.2.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "906D2835-186A-455E-84EB-E982564B9CBD", "versionEndExcluding": "3000.6", "versionStartIncluding": "3000", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F0E0DA3-49F7-4938-9FBD-F3680B1BDBB6", "versionEndExcluding": "3001.4", "versionStartIncluding": "3001", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B757DF0-6490-4FE7-9C98-5D8C700A4377", "versionEndExcluding": "3002.5", "versionStartIncluding": "3002", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level."}, {"lang": "es", "value": "Se detect\u00f3 un problema por medio de SaltStack Salt versiones anteriores a 3002.5. salt.modules.cmdmod puede registrar credenciales para el nivel de registro de informaci\u00f3n o error"}], "id": "CVE-2021-25284", "lastModified": "2023-12-21T18:23:44.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-27T05:15:14.037", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/saltstack/salt/releases"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202103-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-22"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5011"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}