CVE-2019-1010259
published 2019-07-18CVE-2019-1010259: SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider…
PriorityP351critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
76.9th percentile
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 2018.3.4 | 2018.3.4 |
| saltstack | salt | >= 2018.3.0 < 2018.3.4 | 2018.3.4 |
| saltstack | salt_2018 | — | — |
| saltstack | salt_2019 | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
osv·2022-05-24
CVE-2019-1010259 [CRITICAL] SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
SaltStack Salt 2018.3 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The `mysql.user_chpass` function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/develop/salt/modules/mysql.py#L1462). The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
GHSA
SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
ghsa·2022-05-24
CVE-2019-1010259 [CRITICAL] CWE-89 SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
SaltStack Salt SQL Injection vulnerability in mysql.user_chpass function
SaltStack Salt 2018.3 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The `mysql.user_chpass` function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/develop/salt/modules/mysql.py#L1462). The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
OSV
CVE-2019-1010259: SaltStack Salt 2018
osv·2019-07-18
CVE-2019-1010259 CVE-2019-1010259: SaltStack Salt 2018
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ShantonRU/salt/commit/a46c86a987c78e74e87969d8d3b27094e6544b7ahttps://github.com/saltstack/salt/blob/f22de0887cd7167887f113bf394244b74fb36b6b/salt/modules/mysql.py#L1534https://github.com/saltstack/salt/pull/51462https://github.com/ShantonRU/salt/commit/a46c86a987c78e74e87969d8d3b27094e6544b7ahttps://github.com/saltstack/salt/blob/f22de0887cd7167887f113bf394244b74fb36b6b/salt/modules/mysql.py#L1534https://github.com/saltstack/salt/pull/51462
2019-07-18
Published