CVE-2019-17361

Published: 17 January 2020

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
salt Launchpad, Ubuntu, Debian	Upstream	Needs triage


	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (3000+dfsg1-1)
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2017.7.4+dfsg1-1ubuntu18.04.2)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (2015.8.8+ds-1ubuntu0.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

CVE-2019-17361

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading