Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple High Severity Vulnerabilities in SaltStack

26 February 2021

The Salt Project has released security updates to address multiple vulnerabilities. 7 out of 10 of them were rated as high severity.

  • CVE-2021-3197: The Salt-API’s SSH client is vulnerable to a shell injection

  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client

  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks

  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default

  • CVE-2021-3144: Tokens can be used once after expiration

  • CVE-2020-28972: Missing validation on SSL certificate

  • CVE-2020-28243: Local privilege escalation in the Minion

Administrators and users of SaltStack are advised to upgrade to the latest versions immediately.

These versions have been updated for this security release:

  • 3002.5

  • 3001.6

  • 3000.8

Security patch files can be found at: https://gitlab.com/saltstack/open/salt-patches

Patches are available for the following versions:

  • 3002.2

  • 3001.4

  • 3000.6

  • 2019.2.8

  • 2019.2.5

  • 2018.3.5

  • 2017.7.8

  • 2016.11.10

  • 2016.11.6

  • 2016.11.5

  • 2016.11.3

  • 2016.3.8

  • 2016.3.6

  • 2016.3.4

  • 2015.8.13

  • 2015.8.10

NOTE: If you are running an older version of Salt not listed on either of these sites, please update to a listed version before applying an available patch.

Back to top