CVE-2019-17361

Published: 17 January 2020

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
salt Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2017.7.4+dfsg1-1ubuntu18.04.2)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (2015.8.8+ds-1ubuntu0.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
https://github.com/saltstack/salt/commits/master
https://ubuntu.com/security/notices/USN-4459-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2019-17361

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading