CVE-2021-31607 - log back

CVE-2021-31607 edited at 09 Sep 2021 12:08:53
Severity
- Unknown
+ High
Remote
- Unknown
+ Local
Type
- Unknown
+ Privilege escalation
Description
+ In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
References
+ https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/
Notes
CVE-2021-31607 created at 09 Sep 2021 12:07:31