CVE-2021-25283
Description
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SaltStack Salt before 3002.5 allows server-side template injection in the Jinja renderer, leading to remote code execution.
Vulnerability
CVE-2021-25283 is a server-side template injection (SSTI) vulnerability in the Jinja renderer component of SaltStack Salt before version 3002.5 [1]. The Jinja renderer does not properly sandbox or sanitize user-controlled templates, allowing an attacker to inject arbitrary Jinja template code [1]. This is a classic SSTI flaw where the template engine evaluates expressions without proper context isolation.
Exploitation
An attacker with the ability to control a template's content—whether through pillar data, grain values, or other SLS file inputs—can craft a malicious Jinja expression [1][4]. The attack requires some degree of access to the Salt master or minion, such as being able to modify state files or set pillar/grain values. No special authentication is needed beyond what is required to submit those inputs [4].
Impact
Successful exploitation allows the attacker to execute arbitrary Python code on the Salt master or minion that processes the injected template [1]. This can lead to full compromise of the affected Salt infrastructure, including privilege escalation, data exfiltration, and lateral movement [1][3]. The severity is reflected in a high CVSS score.
Mitigation
The vulnerability is fixed in Salt version 3002.5 and later [1][2]. Users should upgrade immediately. There is no workaround other than restricting template input sources and updating to the patched version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2015.8.13 | 2015.8.13 |
saltPyPI | >= 2016.3.0, < 2016.11.5 | 2016.11.5 |
saltPyPI | >= 2016.11.7, < 2016.11.10 | 2016.11.10 |
saltPyPI | >= 2017.5.0, < 2017.7.8 | 2017.7.8 |
saltPyPI | >= 2018.2.0, <= 2018.3.5 | — |
saltPyPI | >= 2019.2.0, < 2019.2.8 | 2019.2.8 |
saltPyPI | >= 3000, < 3000.7 | 3000.7 |
saltPyPI | >= 3001, < 3001.5 | 3001.5 |
saltPyPI | >= 3002, < 3002.5 | 3002.5 |
Affected products
32- SaltStack/Saltdescription
- ghsa-coords31 versionspkg:pypi/saltpkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.0pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/release-notes-susemanager-proxy&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2012%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-CLIENT-TOOLSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-CLIENT-TOOLSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/salt&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/salt&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/salt&distro=SUSE%20Manager%20Server%204.0
< 2015.8.13+ 30 more
- (no CPE)range: < 2015.8.13
- (no CPE)range: < 3000-lp152.3.27.1
- (no CPE)range: < 2016.11.10-10.22.1
- (no CPE)range: < 2016.11.10-6.8.1
- (no CPE)range: < 4.0.12.1-3.68.1
- (no CPE)range: < 4.1.5.1-3.38.1
- (no CPE)range: < 4.0.12.1-0.16.52.1
- (no CPE)range: < 4.1.5.1-3.26.1
- (no CPE)range: < 4.0.12.1-0.16.52.1
- (no CPE)range: < 4.1.5.1-3.26.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 2016.11.10-43.69.1
- (no CPE)range: < 2016.11.10-43.69.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-5.106.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-46.129.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
- (no CPE)range: < 3000-24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- github.com/advisories/GHSA-xgmh-gfxw-2hvvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-25283ghsaADVISORY
- security.gentoo.org/glsa/202103-01ghsavendor-advisoryWEB
- security.gentoo.org/glsa/202310-22ghsavendor-advisoryWEB
- www.debian.org/security/2021/dsa-5011ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2021-52.yamlghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.5.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.5.rstghsaWEB
- lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5ghsaWEB
- saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25ghsaWEB
- saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/mitre
News mentions
0No linked articles in our index yet.