CVE-2021-31607 in SaltStack and Fedora Project Products
Published on April 23, 2021
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
Products Associated with CVE-2021-31607
stack.watch emails you whenever new vulnerabilities are published in SaltStack Salt or Fedora Project Fedora. Just hit a watch button to start following.
Exploit Probability
EPSS
4.55%
Percentile
89.02%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.