CVE-2019-17361

NameCVE-2019-17361
DescriptionIn SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4676-1
Debian Bugs949222

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie, jessie (lts)2014.1.13+ds-3+deb8u2fixed
stretch (security), stretch (lts), stretch2016.11.2+ds-1+deb9u10fixed
buster, buster (security)2018.3.4+dfsg1-6+deb10u3fixed
bullseye (security), bullseye3002.6+dfsg1-4+deb11u1fixed
sid3004.1+dfsg-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(not affected)
saltsourcestretch2016.11.2+ds-1+deb9u3DSA-4676-1
saltsourcebuster2018.3.4+dfsg1-6+deb10u1DSA-4676-1
saltsource(unstable)2019.2.3+dfsg1-1949222

Notes

[jessie] - salt <not-affected> (Vulnerable code added in v2014.7)
https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Vulnerability introduced in https://github.com/saltstack/salt/commit/3bade9d6258fb8df849b32f68de6343cfdd83720

Search for package or bug name: Reporting problems