CVE-2021-25281
Description
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SaltStack Salt before 3002.5 allows unauthenticated remote execution of wheel modules via salt-api's wheel_async endpoint due to improper eauth credential validation.
Vulnerability
Overview
The vulnerability (CVE-2021-25281) is an authentication bypass in SaltStack's REST API (salt-api). The wheel_async client endpoint fails to properly validate eauth credentials, meaning an attacker can invoke wheel modules without any authentication [1]. The root cause is a missing credential check in the API's handling of asynchronous wheel requests.
Exploitation
Exploitation requires network access to the salt-api process, which typically listens on port 8000. No prior authentication or session is needed. An attacker simply crafts a request to the wheel_async method with the desired wheel module and arguments [1]. Public proof-of-concept code exists demonstrating the exploitation [1].
Impact
Successful exploitation allows an attacker to execute arbitrary wheel modules on the Salt master. This includes modules for managing minions, configuration, and secrets, effectively granting full control over the master and all connected minions. The attacker can execute commands, exfiltrate data, and pivot further into the infrastructure.
Mitigation
The issue was fixed in Salt version 3002.5, released on February 26, 2021 [2]. Users still running older versions should upgrade immediately. The PyPA advisory database also confirms the severity and remediation [4].
Note: Salt versions 3002.5 and later include the patch; there is no workaround for unpatched installations.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2015.8.13 | 2015.8.13 |
saltPyPI | >= 2016.3.0, < 2016.11.5 | 2016.11.5 |
saltPyPI | >= 2016.11.7, < 2016.11.10 | 2016.11.10 |
saltPyPI | >= 2017.5.0, < 2017.7.8 | 2017.7.8 |
saltPyPI | >= 2018.2.0, <= 2018.3.5 | — |
saltPyPI | >= 2019.2.0, < 2019.2.8 | 2019.2.8 |
saltPyPI | >= 3000, < 3000.7 | 3000.7 |
saltPyPI | >= 3001, < 3001.5 | 3001.5 |
saltPyPI | >= 3002, < 3002.3 | 3002.3 |
Affected products
32- SaltStack/Saltdescription
- ghsa-coords31 versionspkg:pypi/saltpkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2012%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-CLIENT-TOOLSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-CLIENT-TOOLSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/salt&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/salt&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/salt&distro=SUSE%20Manager%20Server%204.0
< 2015.8.13+ 30 more
- (no CPE)range: < 2015.8.13
- (no CPE)range: < 3000-lp152.3.27.1
- (no CPE)range: < 2016.11.10-10.22.1
- (no CPE)range: < 2016.11.10-6.8.1
- (no CPE)range: < 4.0.12.1-3.68.1
- (no CPE)range: < 4.1.5.1-3.38.1
- (no CPE)range: < 4.0.12.1-0.16.52.1
- (no CPE)range: < 4.1.5.1-3.26.1
- (no CPE)range: < 4.0.12.1-0.16.52.1
- (no CPE)range: < 4.1.5.1-3.26.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 2016.11.10-43.69.1
- (no CPE)range: < 2016.11.10-43.69.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
24- github.com/advisories/GHSA-xxw3-765m-f37pghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-25281ghsaADVISORY
- security.gentoo.org/glsa/202103-01ghsavendor-advisoryWEB
- security.gentoo.org/glsa/202310-22ghsavendor-advisoryWEB
- www.debian.org/security/2021/dsa-5011ghsavendor-advisoryWEB
- packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.htmlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-50.yamlghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.7.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.3.rstghsaWEB
- lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5ghsaWEB
- saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25ghsaWEB
- www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21ghsaWEB
- saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/mitre
- www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/mitre
News mentions
0No linked articles in our index yet.