Lucene search

GitHub Advisory DatabaseGHSA-R55W-XPH5-XVX2

HistoryMay 24, 2022 - 5:43 p.m.

SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod

2022-05-2417:43:22

CWE-312

CWE-522

GitHub Advisory Database

github.com

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.0%

JSON

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

Affected configurations

Vulners

Node

saltstacksaltRange<3002.3

saltstacksaltRange<3001.5

saltstacksaltRange<3000.7

saltstacksaltRange<2019.2.8

saltstacksaltRange≤2018.3.5

saltstacksaltRange<2017.7.8

saltstacksaltRange<2016.11.10

saltstacksaltRange<2016.11.5

saltstacksaltRange<2015.8.13

CPENameOperatorVersion
saltlt3002.3
saltlt3001.5
saltlt3000.7
saltlt2019.2.8
saltle2018.3.5
saltlt2017.7.8
saltlt2016.11.10
saltlt2016.11.5
saltlt2015.8.13

Name	Operator	Version
salt	lt	3002.3
salt	lt	3001.5
salt	lt	3000.7
salt	lt	2019.2.8
salt	le	2018.3.5
salt	lt	2017.7.8
salt	lt	2016.11.10
salt	lt	2016.11.5
salt	lt	2015.8.13

References

github.com/advisories/GHSA-r55w-xph5-xvx2

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.7.rst#L37

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rst#L37

github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.3.rst#L37

github.com/saltstack/salt/releases

lists.debian.org/debian-lts-announce/2021/11/msg00009.html

lists.debian.org/debian-lts-announce/2022/01/msg00000.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5

lists.fedoraproject.org/archives/list/[email protected]/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB

lists.fedoraproject.org/archives/list/[email protected]/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH

lists.fedoraproject.org/archives/list/[email protected]/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5

nvd.nist.gov/vuln/detail/CVE-2021-25284

saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25

security.gentoo.org/glsa/202103-01

security.gentoo.org/glsa/202310-22

www.debian.org/security/2021/dsa-5011

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for GHSA-R55W-XPH5-XVX2