CVE-2019-17361

Published: Jan 17, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Affected (6)

Products: Saltstack: Salt · Debian: Debian Linux · Opensuse: Leap · +1 more

Show all products

Saltstack: Salt · Debian: Debian Linux · Opensuse: Leap · Canonical: Ubuntu Linux

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Saltstack Salt	Up to 2019.2.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0
Opensuse Leap	Version 15.1

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (10)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix

Source: cve@mitre.org

Release NotesThird Party Advisory

https://github.com/saltstack/salt/commits/master

Source: cve@mitre.org

PatchThird Party Advisory

https://usn.ubuntu.com/4459-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4676

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html