CVE-2019-17361
CRITICALSaltStack Salt < 2019.2.0 - Unauthenticated Remote Code Execution via salt-api NET API
Title source: llmDescription
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/saltstack/salt/commits/master
Release Notes, Third Party Advisory x_refsource_confirm
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4676
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4459-1/
Scores
CVSS v3
9.8
EPSS
0.2230
EPSS Percentile
95.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (7)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
debian/debian_linux
9.0
debian/debian_linux
10.0
opensuse/leap
15.1
pypi/salt
0 - 2019.2.3PyPI
saltstack/salt
< 2019.2.0
Published
Jan 17, 2020
Tracked Since
Feb 18, 2026