CVE-2019-17361
Publication date 17 January 2020
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
Status
Package | Ubuntu Release | Status |
---|---|---|
salt | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Fixed 2017.7.4+dfsg1-1ubuntu18.04.2
|
|
16.04 LTS xenial |
Fixed 2015.8.8+ds-1ubuntu0.1
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4459-1
- Salt vulnerabilities
- 13 August 2020