CVE-2019-17361

NameCVE-2019-17361
DescriptionIn SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4676-1
NVD severitymedium
Debian Bugs949222

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)stretch2016.11.2+ds-1+deb9u4fixed
stretch (security)2016.11.2+ds-1+deb9u9fixed
buster2018.3.4+dfsg1-6+deb10u2fixed
buster (security)2018.3.4+dfsg1-6+deb10u3fixed
bullseye3002.6+dfsg1-4fixed
bullseye (security)3002.6+dfsg1-4+deb11u1fixed
bookworm, sid3004+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u3DSA-4676-1
saltsourcebuster2018.3.4+dfsg1-6+deb10u1DSA-4676-1
saltsource(unstable)2019.2.3+dfsg1-1949222

Notes

[jessie] - salt <not-affected> (Vulnerable code added in v2014.7)
https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Vulnerability introduced in https://github.com/saltstack/salt/commit/3bade9d6258fb8df849b32f68de6343cfdd83720

Search for package or bug name: Reporting problems