SB2021061033 - SUSE update for salt

Main Vulnerability Database SB2021061033

SB2021061033 - SUSE update for salt

Published: June 10, 2021

Security Bulletin ID SB2021061033

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Command Injection (CVE-ID: CVE-2021-31607)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to command injection in the snapper module. A local user can escalate privileges on a minion.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2021/suse-su-20211951-1/

Vulnerable Software

SUSE Linux Enterprise Module for Transactional Server: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
SUSE Linux Enterprise Module for Server Applications: 15-SP3
salt-zsh-completion: before 3002.2-8.41.8.1
salt-bash-completion: before 3002.2-8.41.8.1
salt-minion: before 3002.2-8.41.8.1
salt-doc: before 3002.2-8.41.8.1
salt: before 3002.2-8.41.8.1
python3-salt: before 3002.2-8.41.8.1
salt-fish-completion: before 3002.2-8.41.8.1
salt-syndic: before 3002.2-8.41.8.1
salt-standalone-formulas-configuration: before 3002.2-8.41.8.1
salt-ssh: before 3002.2-8.41.8.1
salt-proxy: before 3002.2-8.41.8.1
salt-master: before 3002.2-8.41.8.1
salt-cloud: before 3002.2-8.41.8.1
salt-api: before 3002.2-8.41.8.1
salt-transactional-update: before 3002.2-8.41.8.1