CVE-2019-17361
published 2020-01-17CVE-2019-17361: In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.11%
96.3th percentile
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| opensuse | leap | — | — |
| saltstack | salt | <= 2019.2.0 | — |
| saltstack | salt | >= 0 < 2019.2.3 | 2019.2.3 |
| saltstack | salt | >= 0 < 2019.2.1 | 2019.2.1 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1 | 2015.8.8+ds-1ubuntu0.1 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2 | 2017.7.4+dfsg1-1ubuntu18.04.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target service: salt-api NET API endpoint with the SSH client enabled is the attack surface for unauthenticated command injection ↗
- →Monitor salt-api processes for unexpected child process spawning (e.g., shell processes) originating from the salt-api service, which would indicate successful command injection ↗
- →Unauthenticated requests to the salt-api NET API endpoint should be treated as suspicious and alerted on, especially when the SSH client is enabled in the salt-api configuration ↗
- ·Vulnerability is only exploitable when the SSH client is explicitly enabled in the salt-api NET API configuration; deployments without SSH client enabled are not affected ↗
- ·Red Hat Ceph Storage 2 is confirmed not affected because salt-api is not used or shipped in that product ↗
- ·Affected versions are SaltStack Salt through 2019.2.0; the fix is documented in the 2019.2.3 release notes ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv5.3MEDIUM
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SaltStack Salt is vulnerable to command injection
ghsa·2022-05-24
CVE-2019-17361 [CRITICAL] CWE-77 SaltStack Salt is vulnerable to command injection
SaltStack Salt is vulnerable to command injection
In SaltStack Salt before 2019.2.3, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
OSV
SaltStack Salt is vulnerable to command injection
osv·2022-05-24
CVE-2019-17361 [CRITICAL] SaltStack Salt is vulnerable to command injection
SaltStack Salt is vulnerable to command injection
In SaltStack Salt before 2019.2.3, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
OSV
salt vulnerabilities
osv·2020-08-13·CVSS 5.3
CVE-2018-15750 [MEDIUM] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt allows remote attackers to determine which files
exist on the server. An attacker could use that to extract sensitive
information. (CVE-2018-15750)
It was discovered that Salt has a vulnerability that allows an user to bypass
authentication. An attacker could use that to extract sensitive information,
execute abritrary code or crash the server. (CVE-2018-15751)
It was discovered that Salt is vulnerable to command injection. This allows
an unauthenticated attacker with network access to the API endpoint to
execute arbitrary code on the salt-api host. (CVE-2019-17361)
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possibly use this issue to access
some methods without authenticat
OSV
CVE-2019-17361: In SaltStack Salt through 2019
osv·2020-01-17
CVE-2019-17361 CVE-2019-17361: In SaltStack Salt through 2019
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2020-08-13·CVSS 5.3
CVE-2018-15750 [MEDIUM] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt allows remote attackers to determine which files
exist on the server. An attacker could use that to extract sensitive
information. (CVE-2018-15750)
It was discovered that Salt has a vulnerability that allows an user to bypass
authentication. An attacker could use that to extract sensitive information,
execute abritrary code or crash the server. (CVE-2018-15751)
It was discovered that Salt is vulnerable to command injection. This allows
an unauthenticated attacker with network access to the API endpoint to
execute arbitrary code on the salt-api host. (CVE-2019-17361)
It was discovered that Salt incorrectly validated method calls and
sanitized paths. A remote attacker could possi
Red Hat
salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
vendor_redhat·2020-01-16·CVSS 9.8
CVE-2019-17361 [CRITICAL] CWE-77 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Statement: salt-api is not used and not shipped with Red Hat Ceph Storage 2.
Package: salt (Red Hat Ceph Storage 2) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection [epel-all]
bugzilla·2020-01-30·CVSS 9.8
CVE-2019-17361 [CRITICAL] CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection [epel-all]
CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
bugzilla·2020-01-30·CVSS 9.8
CVE-2019-17361 [CRITICAL] CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
CVE-2019-17361 salt: salt-api NET API with the ssh client enabled is vulnerable to command injection
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Reference:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix
Discussion:
Created salt tracking bugs for this issue:
Affects: epel-all [bug 1796640]
---
Statement:
salt-api is not used and not shipped with Red Hat Ceph Storage 2.
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-17361
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fixhttps://github.com/saltstack/salt/commits/masterhttps://usn.ubuntu.com/4459-1/https://www.debian.org/security/2020/dsa-4676http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fixhttps://github.com/saltstack/salt/commits/masterhttps://usn.ubuntu.com/4459-1/https://www.debian.org/security/2020/dsa-4676
2020-01-17
Published