CVE-2019-18897: 
SaltStack vulnerability analysis and mitigation

A UNIX Symbolic Link (Symlink) Following vulnerability (CVE-2019-18897) was discovered in the packaging of salt affecting SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, and openSUSE Factory. The vulnerability allows local attackers to escalate privileges from user salt to root through the salt-master package (NVD).

The vulnerability exists in the %post script of the salt-master package, where a recursive chown operation is performed without properly validating symbolic links. This can be exploited on systems with fs.protected_hardlinks=0. The vulnerability has a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) according to NVD assessment (NVD).

The vulnerability allows local attackers to escalate privileges from the salt user to root, potentially gaining complete system access. Additionally, the chown operation can be used for denial of service attacks by making files unavailable to users/daemons (SUSE Bug).

The issue has been fixed in updated versions of the salt-master package. The fix prevents user escalation by excluding any possible symlinks at the time of executing chown. Users should update to the patched versions available through their distribution's package manager (OpenSUSE Advisory).