CVE-2019-17361

NameCVE-2019-17361
DescriptionIn SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4676-1
Debian Bugs949222

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u3DSA-4676-1
saltsourcebuster2018.3.4+dfsg1-6+deb10u1DSA-4676-1
saltsource(unstable)2019.2.3+dfsg1-1949222

Notes

[jessie] - salt <not-affected> (Vulnerable code added in v2014.7)
https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Vulnerability introduced in https://github.com/saltstack/salt/commit/3bade9d6258fb8df849b32f68de6343cfdd83720
Search for package or bug name: Reporting problems