CVE-2021-25284: SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod

May 24, 2022 (updated October 23, 2024)

An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.

References

github.com/advisories/GHSA-r55w-xph5-xvx2
github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-53.yaml
github.com/saltstack/salt
github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.7.rst
github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rst
github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.3.rst
github.com/saltstack/salt/releases
lists.debian.org/debian-lts-announce/2021/11/msg00009.html
lists.debian.org/debian-lts-announce/2022/01/msg00000.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5
nvd.nist.gov/vuln/detail/CVE-2021-25284
saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25
security.gentoo.org/glsa/202103-01
security.gentoo.org/glsa/202310-22
www.debian.org/security/2021/dsa-5011

Code Behaviors & Features

Detect and mitigate CVE-2021-25284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →