CVE-2019-17361
Publication date 17 January 2020
Last updated 24 July 2024
Ubuntu priority
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| salt | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Fixed 2017.7.4+dfsg1-1ubuntu18.04.2
|
|
| 16.04 LTS xenial |
Fixed 2015.8.8+ds-1ubuntu0.1
|
|
| 14.04 LTS trusty |
Vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4459-1
- Salt vulnerabilities
- 13 August 2020