CVE-2019-17361

CVE Database · CVE-2019-17361

CVE-2019-17361

· CRITICALModified

CVSS v3.1

9.8

EPSS

15.11%

Published

Jan 16, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-77

Affected Products (6)

saltstack · saltvulnerable

debian · debian_linuxvulnerable

opensuse · leapvulnerable

canonical · ubuntu_linuxvulnerable

References (10)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html

Mailing ListThird Party Advisory

https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix

Release NotesThird Party Advisory

https://github.com/saltstack/salt/commits/master

PatchThird Party Advisory

https://usn.ubuntu.com/4459-1/

Third Party Advisory

https://www.debian.org/security/2020/dsa-4676

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html

KEV Catalog EPSS Scores Vendors All CVEs