CVE-2021-3148
- Source
- https://cve.org/CVERecord?id=CVE-2021-3148
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3148.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-3148
- Aliases
- Downstream
- Related
- Published
- 2021-02-27T05:15:14.190Z
- Modified
- 2026-04-02T06:50:46.057050Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
- References
-
- https://github.com/saltstack/salt/releases
- https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
- https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
- https://security.gentoo.org/glsa/202310-22
- https://www.debian.org/security/2021/dsa-5011
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/
- https://security.gentoo.org/glsa/202103-01
Affected packages
Git / github.com/saltstack/salt
Affected ranges
- Type
- GIT
- Repo
- https://github.com/saltstack/salt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "2015.8.10" }, { "introduced": "2015.8.11" }, { "fixed": "2015.8.13" }, { "introduced": "2016.3.0" }, { "fixed": "2016.3.4" }, { "introduced": "2016.3.5" }, { "fixed": "2016.3.6" }, { "introduced": "2016.3.7" }, { "fixed": "2016.3.8" }, { "introduced": "2016.3.9" }, { "fixed": "2016.11.3" }, { "introduced": "2016.11.4" }, { "fixed": "2016.11.5" }, { "introduced": "2016.11.7" }, { "fixed": "2016.11.10" }, { "introduced": "2017.5.0" }, { "fixed": "2017.7.8" }, { "introduced": "2018.2.0" }, { "last_affected": "2018.3.5" }, { "introduced": "2019.2.0" }, { "fixed": "2019.2.5" }, { "introduced": "2019.2.6" }, { "fixed": "2019.2.8" }, { "introduced": "3000" }, { "fixed": "3000.6" }, { "introduced": "3001" }, { "fixed": "3001.4" }, { "introduced": "3002" }, { "fixed": "3002.5" } ] }
Affected versions
old-branch-0.*
old-branch-0.11
old-branch-0.12
old-branch-0.13
old-branch-0.14
old-branch-0.15
old-branch-0.16
old-branch-0.17
old-branch-2014.*
old-branch-2014.1
old-branch-2014.7
old-branch-2015.*
old-branch-2015.5
old-branch-2019.*
old-branch-2019.2.3
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.11.0
v0.11.1
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.90
v0.16
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17
v0.17.0
v0.17.0rc1
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.6.0
v0.7.0
v0.8.0
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v2014.*
v2014.1
v2014.1.0
v2014.1.0rc1
v2014.1.0rc2
v2014.1.0rc3
v2014.1.1
v2014.1.10
v2014.1.11
v2014.1.12
v2014.1.13
v2014.1.2
v2014.1.3
v2014.1.4
v2014.1.5
v2014.1.6
v2014.1.7
v2014.1.8
v2014.1.9
v2014.7
v2014.7.0
v2014.7.0rc1
v2014.7.0rc2
v2014.7.0rc3
v2014.7.0rc4
v2014.7.0rc5
v2014.7.0rc6
v2014.7.0rc7
v2014.7.1
v2014.7.2
v2014.7.3
v2014.7.4
v2014.7.5
v2014.7.6
v2014.7.7
v2014.7.8
v2014.7.9
v2015.*
v2015.2
v2015.2.0rc1
v2015.2.0rc2
v2015.5
v2015.5.0
v2015.5.1
v2015.5.10
v2015.5.11
v2015.5.2
v2015.5.3
v2015.5.4
v2015.5.5
v2015.5.6
v2015.5.7
v2015.5.8
v2015.5.9
v2015.8
v2015.8.0
v2015.8.0rc1
v2015.8.0rc2
v2015.8.0rc3
v2015.8.0rc4
v2015.8.0rc5
v2015.8.1
v2015.8.11
v2015.8.12
v2015.8.2
v2015.8.3
v2015.8.4
v2015.8.5
v2015.8.6
v2015.8.7
v2015.8.8
v2015.8.8.2
v2015.8.9
v2016.*
v2016.11
v2016.11.0
v2016.11.0rc1
v2016.11.0rc2
v2016.11.1
v2016.11.2
v2016.11.4
v2016.11.7
v2016.3
v2016.3.0
v2016.3.0rc0
v2016.3.0rc1
v2016.3.0rc2
v2016.3.0rc3
v2016.3.1
v2016.3.2
v2016.3.3
v2016.3.5
v2016.3.7
v2016.9
v2019.*
v2019.2.0
v2019.2.1
v2019.2.1rc1
v2019.2.2
v2019.2.2.2
v2019.2.2.3
v2019.2.2_docs
v2019.2.3
v2019.2.3_docs
v2019.2.4
v2019.2.4_docs
v2019.2.6
v2019.2.7
v2019.8
Other
v3000
v3000_docs
v3001
v3001rc1
v3002
v3002rc1
v3000.*
v3000.0rc1
v3000.0rc2
v3000.1
v3000.2
v3000.2_docs
v3000.3
v3000.4
v3000.5
v3001.*
v3001.1
v3001.1_docs
v3001.2
v3001.3
v3001.3_docs
v3002.*
v3002.1
v3002.2
v3002.3
v3002.4
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3148.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.0"
}
]
}
]