CVE-2021-31607

CVE-2021-31607

pypi/salt

Command Injection

In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

All versions starting from 2016.9 up to 3002.6

Upgrade to version 3002.7 or above.

2021-05-05