Miggo Logo

CVE-2021-3144: SaltStack Salt eauth tokens can be used once after expiration

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.90398%
Published
5/24/2022
Updated
10/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
saltpip< 2015.8.132015.8.13
saltpip>= 2016.3.0, < 2016.11.52016.11.5
saltpip>= 2016.11.7, < 2016.11.102016.11.10
saltpip>= 2017.5.0, < 2017.7.82017.7.8
saltpip>= 2018.2.0, <= 2018.3.5
saltpip>= 3000, < 3000.73000.7
saltpip>= 3001, < 3001.53001.5
saltpip>= 3002, < 3002.33002.3
saltpip>= 2019.2.0, < 2019.2.82019.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CWE-613) stems from insufficient session expiration checks. Salt's eauth token handling in authentication workflows would be the logical place for this flaw. The authenticate_token function is directly responsible for validating tokens, and a missing expiration check here would allow expired tokens to be used. The get_token method's role in fetching token data without proper expiration validation could also contribute. While exact code diffs aren't provided, the CVE description and Salt's own release notes pinpoint token expiration handling as the fixed component, making these functions high-probability candidates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In S*ltSt**k S*lt ***or* ****.*, **ut* tok*ns **n ** us** on** **t*r *xpir*tion. (T**y mi**t ** us** to run *omm*n* ***inst t** s*lt m*st*r or minions.)

Reasoning

T** vuln*r**ility (*W*-***) st*ms *rom insu**i*i*nt s*ssion *xpir*tion ****ks. S*lt's **ut* tok*n **n*lin* in *ut**nti**tion work*lows woul* ** t** lo*i**l pl*** *or t*is *l*w. T** `*ut**nti**t*_tok*n` *un*tion is *ir**tly r*sponsi*l* *or v*li**tin*