CVE-2021-31607 log
| Source |
|
| Severity | High |
| Remote | No |
| Type | Privilege escalation |
| Description | In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2355 | salt | 3002.6-1 | 3003-1 | High | Fixed |
| References |
|---|
https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/ |