Arbitrary Command Injection Affecting salt package, versions <2018.3.4+dfsg1-6+deb10u1
Threat Intelligence
EPSS
0.54% (78th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-SALT-542648
- published 18 Jan 2020
- disclosed 17 Jan 2020
Introduced: 17 Jan 2020
CVE-2019-17361 Open this link in a new tabHow to fix?
Upgrade Debian:10 salt to version 2018.3.4+dfsg1-6+deb10u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream salt package and not the salt package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-17361
- https://security-tracker.debian.org/tracker/CVE-2019-17361
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
- https://www.debian.org/security/2020/dsa-4676
- https://github.com/saltstack/salt/commits/master
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html
- https://usn.ubuntu.com/4459-1/
CVSS Scores
version 3.1