CVE-2021-31997

CWE-59CWE-614 documents4 sources
Severity
7.8HIGH
EPSS
0.0%
top 89.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Opensuse Python-postoriusOpensuse FactoryOpensuse Leap 15.2
Timeline
PublishedJun 10
Latest updateMay 24

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 15.2, Factory allows local attackers to escalate from users postorius or postorius-admin to root. This issue affects: openSUSE Leap 15.2 python-postorius version 1.3.2-lp152.1.2 and prior versions. openSUSE Factory python-postorius version 1.3.4-2.1 and prior versions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 2.5 | Impact: 4.2

Affected Packages3 packages

NVDopensuse/python-postorius< 1.3.2-lp152.1.2+1
CVEListV5opensuse/factorypython-postorius1.3.4-2.1
CVEListV5opensuse/leap_15.2python-postorius1.3.2-lp152.1.2

🔴Vulnerability Details

2
GHSA
GHSA-p6rm-7r2c-w38x: a UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 152022-05-24
CVEList
python-postorius: postorius-permissions.sh used during %post allows local privilege escalation from postorius user to root2021-06-10

📋Vendor Advisories

1
Debian
CVE-2021-31997: postorius - A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of op...2021
CVE-2021-31997 (HIGH CVSS 7.8) | A UNIX Symbolic Link (Symlink) Foll | cvebase.io