CVE-2019-17361
CRITICAL9.8EPSS 17.9%salt - security update
發布日:2022/5/24修改日:2026/3/9
描述
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
受影響套件(3)
- Debian/saltfrom 0, < 2016.11.2+ds-1+deb9u3
- PyPI/saltfrom 0, < 2019.2.3
- PyPI/saltfrom 0, < 2019.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-17361
- PATCHhttps://github.com/saltstack/salt
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html
- WEBhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-177.yaml
- WEBhttps://github.com/saltstack/salt/commits/master
- WEBhttps://usn.ubuntu.com/4459-1
- WEBhttps://usn.ubuntu.com/4459-1/
- WEBhttps://www.debian.org/security/2020/dsa-4676