1953065 – (CVE-2021-31607) CVE-2021-31607 salt: Command injection in the snapper module

Bug 1953065 (CVE-2021-31607) - CVE-2021-31607 salt: Command injection in the snapper module

Summary: CVE-2021-31607 salt: Command injection in the snapper module

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-31607
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1953066
Blocks:	1953067
TreeView+	depends on / blocked

Reported:	2021-04-23 19:41 UTC by Pedro Sampaio
Modified:	2021-06-22 16:52 UTC (History)
CC List:	14 users (show)
Fixed In Version:	salt 3003
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Salt. A command injection vulnerability occurs in the snapper module that allows local privilege escalation on a minion. This attack requires the creation of a file with a pathname that is backed up by snapper, with the master calling the snapper.diff function. Snapper.diff executes the popen unsafely. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-04-29 22:46:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-04-23 19:41:47 UTC

In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).

References:

https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/

Comment 1 Pedro Sampaio 2021-04-23 19:42:20 UTC

Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1953066]

Comment 4 Product Security DevOps Team 2021-04-29 22:46:35 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31607

Comment 5 Hardik Vyas 2021-05-05 05:37:44 UTC

Upstream fix: https://github.com/saltstack/salt/commit/43e4ac985a2fc5f0d596c9fc6bc700b0d1af5344

Note You need to log in before you can comment on or make changes to this bug.