Your submission was sent successfully! Close

CVE-2019-17361

Published: 17 January 2020

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
salt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2017.7.4+dfsg1-1ubuntu18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2015.8.8+ds-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387