An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
Please stabilize 3003.3.
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2023-10-31 11:57:07 +0000
Commit: Hans de Graaff <firstname.lastname@example.org>
CommitDate: 2023-10-31 11:57:38 +0000
[ GLSA 202310-22 ] Salt: Multiple Vulnerabilities
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: Hans de Graaff <firstname.lastname@example.org>
glsa-202310-22.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)