CVE-2019-17361

NameCVE-2019-17361
DescriptionIn SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4676-1
NVD severitymedium
Debian Bugs949222

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie2014.1.13+ds-3fixed
stretch2016.11.2+ds-1+deb9u2vulnerable
stretch (security)2016.11.2+ds-1+deb9u4fixed
buster2018.3.4+dfsg1-6vulnerable
buster (security)2018.3.4+dfsg1-6+deb10u1fixed
bullseye, sid3000.2+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsource(unstable)2019.2.3+dfsg1-1949222
saltsourcebuster2018.3.4+dfsg1-6+deb10u1DSA-4676-1
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u3DSA-4676-1

Notes

[jessie] - salt <not-affected> (Vulnerable code added in v2014.7)
https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Vulnerability introduced in https://github.com/saltstack/salt/commit/3bade9d6258fb8df849b32f68de6343cfdd83720

Search for package or bug name: Reporting problems