CVE-2021-31607

Command Injection in pypi/salt

Identifier

CVE-2021-31607

Package Slug

pypi/salt

Vulnerability

Command Injection

Description

In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

Affected Versions

All versions starting from 2016.9 up to 3002.6

Solution

Upgrade to version 3003 or above.

Last Modified

2021-05-05

source