cbcvebase.
CVE-2019-17361
published 2020-01-17

CVE-2019-17361: In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.11%
96.3th percentile
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
opensuseleap
saltstacksalt<= 2019.2.0
saltstacksalt>= 0 < 2019.2.32019.2.3
saltstacksalt>= 0 < 2019.2.12019.2.1
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.12015.8.8+ds-1ubuntu0.1
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.22017.7.4+dfsg1-1ubuntu18.04.2

Detection & IOCsextracted from sources · hover to see the quote

  • Target service: salt-api NET API endpoint with the SSH client enabled is the attack surface for unauthenticated command injection
  • Monitor salt-api processes for unexpected child process spawning (e.g., shell processes) originating from the salt-api service, which would indicate successful command injection
  • Unauthenticated requests to the salt-api NET API endpoint should be treated as suspicious and alerted on, especially when the SSH client is enabled in the salt-api configuration
  • ·Vulnerability is only exploitable when the SSH client is explicitly enabled in the salt-api NET API configuration; deployments without SSH client enabled are not affected
  • ·Red Hat Ceph Storage 2 is confirmed not affected because salt-api is not used or shipped in that product
  • ·Affected versions are SaltStack Salt through 2019.2.0; the fix is documented in the 2019.2.3 release notes

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv5.3MEDIUM
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.