GHSA-ghc2-hx3w-jqmp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ghc2-hx3w-jqmp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ghc2-hx3w-jqmp/GHSA-ghc2-hx3w-jqmp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-ghc2-hx3w-jqmp
- Aliases
- Published
- 2022-05-24T17:43:23Z
- Modified
- 2024-10-23T19:17:57.106860Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
- Details
-
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in
salt.utils.thin.gen_thin()command injection because of different handling of single versus double quotes. This is related tosalt/utils/thin.py. - Database specific
{ "severity": "CRITICAL", "nvd_published_at": "2021-02-27T05:15:00Z", "github_reviewed": true, "cwe_ids": [ "CWE-77" ], "github_reviewed_at": "2024-04-22T21:16:52Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-3148
- https://www.debian.org/security/2021/dsa-5011
- https://security.gentoo.org/glsa/202310-22
- https://security.gentoo.org/glsa/202103-01
- https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB
- https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
- https://github.com/saltstack/salt/releases
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.3.rst#L23
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rst#L23
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.7.rst#L23
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/CHANGELOG.md?plain=1#L2374
- https://github.com/saltstack/salt
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-55.yaml
Affected packages
PyPI
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2015.8.13
Affected versions
0.*
0.8.7
0.8.9
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.9.1
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.11.0
0.11.1
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.14.1
0.15.0
0.15.1
0.15.2
0.15.3
0.15.90
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.17.0rc1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
2014.*
2014.1.0rc1
2014.1.0rc2
2014.1.0rc3
2014.1.0
2014.1.1
2014.1.2
2014.1.3
2014.1.4
2014.1.5
2014.1.6
2014.1.7
2014.1.8
2014.1.9
2014.1.10
2014.1.11
2014.1.12
2014.1.13
2014.7.0rc1
2014.7.0rc2
2014.7.0rc3
2014.7.0rc4
2014.7.0rc5
2014.7.0rc6
2014.7.0rc7
2014.7.0
2014.7.1
2014.7.2
2014.7.3
2014.7.4
2014.7.5
2014.7.6
2014.7.7
2015.*
2015.2.0rc1
2015.2.0rc2
2015.5.0
2015.5.1
2015.5.2
2015.5.3
2015.5.4
2015.5.5
2015.5.6
2015.5.7
2015.5.8
2015.5.9
2015.5.10
2015.5.11
2015.8.0rc1
2015.8.0rc2
2015.8.0rc3
2015.8.0rc4
2015.8.0rc5
2015.8.0
2015.8.1
2015.8.2
2015.8.3
2015.8.4
2015.8.5
2015.8.7
2015.8.8
2015.8.8.2
2015.8.9
2015.8.10
2015.8.11
2015.8.12
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt
salt
Package
- Name
- salt
- View open source insights on deps.dev
- Purl
- pkg:pypi/salt