CVE-2021-31997 MEDIUM

CVE-2021-31997: python-postorius: postorius-permissions.sh used during %post allows local privilege escalation from postorius user to root

Vendor Opensuse

Product Leap 15.2

Weakness CWE-59

Published June 10, 2021

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 15.2, Factory allows local attackers to escalate from users postorius or postorius-admin to root. This issue affects: openSUSE Leap 15.2 python-postorius version 1.3.2-lp152.1.2 and prior versions. openSUSE Factory python-postorius version 1.3.4-2.1 and prior versions.

Key dates

Disclosure timeline

June 10, 2021 CVE published

September 16, 2024 Record updated

Identifiers

CVE CVE-2021-31997

CWE CWE-59

CVSS 6.8 / MEDIUM

Affected versions

Vendor Opensuse

Product Leap 15.2

Affected ≥ python-postorius and ≤ 1.3.2-lp152.1.2

Vendor Opensuse

Product Factory

Affected ≥ python-postorius and ≤ 1.3.4-2.1