CVE-2021-3144

Description

In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)

How to fix CVE-2021-3144

To remediate CVE-2021-3144, upgrade the affected package to a fixed version below.

• PyPI/salt—upgrade to 2015.8.13 or later
• PyPI/salt—upgrade to 2015.8.10 or later

Is CVE-2021-3144 being exploited?

Moderate — EPSS is 5.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 2015.8.13
• from 0, < 2015.8.10, >= 2015.8.11, < 2015.8.13, >= 2016.3.0, < 2016.3.4, >= 2016.3.5, < 2016.3.6, >= 2016.3.7, < 2016.3.8, >= 2016.11.0, < 2016.11.3, >= 2016.11.4, < 2016.11.5, >= 2016.11.7, < 2016.11.10, >= 2017.7.0, < 2017.7.8, >= 2018.3.0rc1, < 2019.2.0rc1, >= 2019.2.0, < 2019.2.5, >= 2019.2.6, < 2019.2.8, >= 3000, < 3000.6, >= 3001, < 3001.4, >= 3002, < 3002.5

CVSS scores

References (24)

• ADVISORYgithub.com/advisories/GHSA-w2hr-3mc8-46gh
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3144
• PATCHgithub.com/saltstack/salt
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-54.yaml