CVE-2019-17361

Priority
Description
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh
client enabled is vulnerable to command injection. This allows an
unauthenticated attacker with network access to the API endpoint to execute
arbitrary code on the salt-api host.
Notes
Package
Source: salt (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (2015.8.8+ds-1ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2017.7.4+dfsg1-1ubuntu18.04.2)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):not-affected (3000+dfsg1-1)
Patches:
Upstream:https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
More Information

Updated: 2020-09-10 06:19:43 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)