CVE-2021-25283 – salt

Package

Manager: pip
Name: salt
Vulnerable Version: >=0 <2015.8.13 || >=2016.3.0 <2016.11.5 || >=2016.11.7 <2016.11.10 || >=2017.5.0 <2017.7.8 || >=2018.2.0 <=2018.3.5 || >=2019.2.0 <2019.2.8 || >=3000 <3000.7 || >=3001 <3001.5 || >=3002 <3002.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.05684 pctl0.90038

Details

SaltStack Salt Server Side Template Injection An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.

Metadata

Created: 2022-05-24T17:43:22Z
Modified: 2024-10-23T18:24:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xgmh-gfxw-2hvv/GHSA-xgmh-gfxw-2hvv.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-xgmh-gfxw-2hvv
Finding: F422
Auto approve: 1