CVE-2019-17361
Description
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
18.518
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2019-17361 are affected in VMware SALT 2019.2.0-rc2 | Windows |
| Vulnerabilities CVE-2019-17361 are fixed in Python-salt 2019.2.3 | Windows |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-api_2015.8.8+ds-1ubuntu0.1_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-api_2017.7.4+dfsg1-1ubuntu18.04.2_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-common_2015.8.8+ds-1ubuntu0.1_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-common_2017.7.4+dfsg1-1ubuntu18.04.2_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-master_2015.8.8+ds-1ubuntu0.1_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-master_2017.7.4+dfsg1-1ubuntu18.04.2_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-minion_2015.8.8+ds-1ubuntu0.1_all.deb | Linux |
| Infrastructure management built on a dynamic communication bus (USN-4459-1) salt-minion_2017.7.4+dfsg1-1ubuntu18.04.2_all.deb | Linux |
| Vulnerabilities CVE-2019-17361 are fixed in Python-salt for linux 2019.2.3 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234