CVE-2021-25283
high-risk
Published 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
Do I need to act?
~
6.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: c3d2c4eaaef3f26e58d2f676c7456987af866155, e8309a6bbf12b8b803fdbd410e21b8b03d8b5264, 7d79ea784414fc73afc85086ce912fda83f3497d, 24c4ae9c2148a0f48e4f28c848a5011e18b57b7a, 8cf08bd7be0110f965ca768b2e590f68e6b0a519, 40f72db53e2b22e7ef88e1e150caedfdf10772f1, a10f0146a42338e04a4e2d8066f1ee99571c9fbd, 302776b03c38514667e2292ef3553b6442ee776d, d520f9acc16ac5df744c08fe5153164876c1c9ee, 5da2de946d243b538926f4992a1ee9a9d865e62d, 56d1cab54def97b417f66aadf724eaffc3ee86a9, c77785846af50970f4d6c69234d1a9d2a4e0020b, 8e94b352cc183aee9118e03a52e6eebb89469557, 53efaab6403a751e6e74dcf53e8c6d5be05b0515
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (7)
Affected Vendors
References (18)
Third Party Advisory
https://github.com/saltstack/salt/releases
Third Party Advisory
https://security.gentoo.org/glsa/202103-01
Third Party Advisory
https://security.gentoo.org/glsa/202310-22
Third Party Advisory
https://www.debian.org/security/2021/dsa-5011
Third Party Advisory
https://github.com/saltstack/salt/releases
Third Party Advisory
https://security.gentoo.org/glsa/202103-01
Third Party Advisory
https://security.gentoo.org/glsa/202310-22
Third Party Advisory
https://www.debian.org/security/2021/dsa-5011
55
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
14/34 · Moderate