Skip to content

Commit 0c0a425

Browse files
Add vpatch-CVE-2021-25281 rule and test (#1630)
* Add vpatch-CVE-2021-25281 rule * Add vpatch-CVE-2021-25281 test config * Add CVE-2021-25281.yaml test * Add vpatch-CVE-2021-25281 rule to vpatch collection --------- Co-authored-by: Thibault "bui" Koechlin <thibault@crowdsec.net>
1 parent cb7311e commit 0c0a425

File tree

4 files changed

+60
-0
lines changed

4 files changed

+60
-0
lines changed
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
## autogenerated on 2026-01-07 15:07:56
2+
id: CVE-2021-25281
3+
info:
4+
name: CVE-2021-25281
5+
author: crowdsec
6+
severity: info
7+
description: CVE-2021-25281 testing
8+
tags: appsec-testing
9+
http:
10+
- raw:
11+
- |
12+
POST /run HTTP/1.1
13+
Host: {{Hostname}}
14+
Content-Type: application/json
15+
16+
{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}
17+
cookie-reuse: true
18+
matchers:
19+
- type: status
20+
status:
21+
- 403
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
## autogenerated on 2026-01-07 15:07:56
2+
appsec-rules:
3+
- ./appsec-rules/crowdsecurity/base-config.yaml
4+
- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-25281.yaml
5+
nuclei_template: CVE-2021-25281.yaml
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
## autogenerated on 2026-01-07 15:07:56
2+
name: crowdsecurity/vpatch-CVE-2021-25281
3+
description: 'Detects SaltStack Salt API authentication bypass via wheel_async client in /run endpoint.'
4+
rules:
5+
- and:
6+
- zones:
7+
- URI
8+
transform:
9+
- lowercase
10+
match:
11+
type: equals
12+
value: /run
13+
- zones:
14+
- BODY_ARGS
15+
variables:
16+
- json.client
17+
transform:
18+
- lowercase
19+
match:
20+
type: equals
21+
value: wheel_async
22+
23+
labels:
24+
type: exploit
25+
service: http
26+
confidence: 3
27+
spoofable: 0
28+
behavior: 'http:exploit'
29+
label: 'SaltStack Salt - Auth Bypass'
30+
classification:
31+
- cve.CVE-2021-25281
32+
- attack.T1190
33+
- cwe.CWE-287

collections/crowdsecurity/appsec-virtual-patching.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,7 @@ appsec-rules:
148148
- crowdsecurity/vpatch-CVE-2025-13315
149149
- crowdsecurity/vpatch-CVE-2025-52970
150150
- crowdsecurity/vpatch-CVE-2025-47188
151+
- crowdsecurity/vpatch-CVE-2021-25281
151152
- crowdsecurity/vpatch-CVE-2025-55749
152153
- crowdsecurity/vpatch-CVE-2024-2862
153154
author: crowdsecurity

0 commit comments

Comments
 (0)