{
  "threat_severity" : "Important",
  "public_date" : "2021-02-17T00:00:00Z",
  "bugzilla" : {
    "description" : "salt: salt-api unauthenticated remote code exec",
    "id" : "1945077",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1945077"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-94",
  "details" : [ "CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.", "A flaw was found in Salt. This issue is caused by an incorrect implementation of the authentication algorithm, where openSUSE Tumbleweed allows local attackers to execute arbitrary code via Salt without the need to specify valid credentials in Salt versions before 3002.2-3. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability." ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "salt",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-25315\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-25315\nhttps://bugzilla.suse.com/show_bug.cgi?id=1182382" ],
  "name" : "CVE-2021-25315",
  "csaw" : false
}