salt is vulnerable to privilege escalation. The vulnerability exists due to the salt-api not honoring eauth credentials for the wheel_async client allowing an attacker to remotely run wheel modules on the master.
packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.html
github.com/saltstack/salt/releases
lists.debian.org/debian-lts-announce/2021/11/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
lists.fedoraproject.org/archives/list/[email protected]/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
lists.fedoraproject.org/archives/list/[email protected]/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
secdb.alpinelinux.org/v3.13/community.yaml
security.gentoo.org/glsa/202103-01
www.debian.org/security/2021/dsa-5011
www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/