In SaltStack Salt up to and including 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
saltstack salt |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
opensuse leap 15.1 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 16.04 |