CVE-2021-31607
pypi/salt
Command Injection
In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
All versions starting from 2016.9 up to 3002.6
Upgrade to version 3002.7 or above.
2021-05-05
source |