Vulnerability Description
An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This allows for a malicious actor to subvert the proper behaviour of the given minion software.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saltstack | Salt | < 3000.3 |
| Microsoft | Windows | - |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02PatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02PatchVendor Advisory
FAQ
What is CVE-2021-22004?
CVE-2021-22004 is a vulnerability with a CVSS score of 6.4 (MEDIUM). An issue was discovered in SaltStack Salt before 3003.3. The salt minion installer will accept and use a minion config file at C:\salt\conf if that file is in place before the installer is run. This a...
How severe is CVE-2021-22004?
CVE-2021-22004 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22004?
Check the references section above for vendor advisories and patch information. Affected products include: Saltstack Salt, Microsoft Windows, Fedoraproject Fedora.