CVE-2021-31997

Name of the Vulnerable Software and Affected Versions openSUSE Leap 15.2 python-postorius versions 1.3.2-lp152.1.2 and prior versions openSUSE Factory python-postorius versions 1.3.4-2.1 and prior versions

Description A UNIX Symbolic Link (Symlink) Following issue allows local attackers to escalate privileges from users postorius or postorius-admin to root. The vulnerability is related to the implementation of the postorius-permissions.sh script in the Postorius web interface for accessing Mailman archives, which is vulnerable to symbolic link tracking. Exploitation of the issue may allow an attacker to elevate their privileges.

Recommendations For openSUSE Leap 15.2 python-postorius versions 1.3.2-lp152.1.2 and prior versions, update to a version later than 1.3.2-lp152.1.2 to resolve the issue. For openSUSE Factory python-postorius versions 1.3.4-2.1 and prior versions, update to a version later than 1.3.4-2.1 to resolve the issue. As a temporary workaround, consider restricting access to the postorius-permissions.sh script until a patch is available.