{"id":"CVE-2021-31607","details":"In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).","aliases":["GHSA-hcjf-rp5h-g5h3","PYSEC-2021-56"],"modified":"2026-04-09T08:03:34.488982Z","published":"2021-04-23T06:15:07.893Z","related":["SUSE-SU-2021:14753-1","SUSE-SU-2021:1688-1","SUSE-SU-2021:1690-1","SUSE-SU-2021:1951-1","SUSE-SU-2021:2098-1","SUSE-SU-2021:2102-1","SUSE-SU-2021:2104-1","SUSE-SU-2021:2105-1","SUSE-SU-2021:2106-1","SUSE-SU-2021:2114-1","openSUSE-SU-2021:0899-1","openSUSE-SU-2021:1951-1","openSUSE-SU-2021:2106-1","openSUSE-SU-2024:11364-1"],"references":[{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MBAHHSGZLEJRCG4DX6J4RBWJAAWH55RQ/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-22"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-5011"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BUWUF5VTENNP2ZYZBVFKPSUHLKLUBD5/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ACVT7M4YLZRLWWQ6SGRK3C6TOF4FXOXT/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LDKMAJXYFHM4USVX3H5V2GCCBGASWUSM/"},{"type":"FIX","url":"https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saltstack/salt","events":[{"introduced":"f76dc0f9c06dd0690447a31544b7bd1fe7f5765a"},{"last_affected":"027263b794ac03a5953ac360d7205a69e643b19a"}],"database_specific":{"versions":[{"introduced":"2016.9"},{"last_affected":"3002.6"}]}}],"versions":["v2016.11","v2016.9","v2017.5","v2017.7","v2018.11","v2018.2","v2018.3","v2019.2","v2019.2.1","v2019.2.1rc1","v3000","v3000.0rc1","v3000.0rc2","v3000.1","v3000_docs","v3001","v3001.1","v3001rc1","v3002","v3002.2","v3002.3","v3002.4","v3002.5","v3002.6","v3002rc1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-31607.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}