A security issue was found in SaltStack before versions 3002.5, 3001.6 and 3000.8. Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched. This could lead to a possible command injection in salt.utils.thin.gen_thin().
A security issue was found in SaltStack before versions 3002.5, 3001.6 and 3000.8. Via the SaltAPI a command is constructed from formatted string and can be truncated if there are single quotes in extra_mods, since json.dumps() escapes double quotes while leaving the single quotes untouched. This could lead to a possible command injection in salt.utils.thin.gen_thin().
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/