Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2019-17361

Published: 17/01/2020 Updated: 31/01/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Saltstack

Vulnerability Summary

In SaltStack Salt up to and including 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

saltstack salt

debian debian linux 9.0

debian debian linux 10.0

opensuse leap 15.1

canonical ubuntu linux 18.04

canonical ubuntu linux 16.04

Vendor Advisories

Debian CVElist Bug Report Logs: salt: CVE-2019-17361
Debian Bug report logs - #949222 salt: CVE-2019-17361 Package: src:salt; Maintainer for src:salt is Debian Salt Team <pkg-salt-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 18 Jan 2020 12:42:01 UTC Severity: grave Tags: security, upstream Found in versions salt/2016 ...
Debian Security Advisories: DSA-4676-1 salt -- security update
Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts For the oldstable distribution (stretch), these pr ...
Arch Linux Issues:
With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options ...

References

CWE-77https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fixhttps://github.com/saltstack/salt/commits/masterhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.htmlhttps://www.debian.org/security/2020/dsa-4676https://usn.ubuntu.com/4459-1/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222https://nvd.nist.govhttps://www.debian.org/security/2020/dsa-4676
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook