CVE-2019-17361 – salt

Package

Manager: pip
Name: salt
Vulnerable Version: >=0 <2019.2.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.1468 pctl0.94238

Details

SaltStack Salt is vulnerable to command injection In SaltStack Salt before 2019.2.3, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

Metadata

Created: 2022-05-24T17:06:52Z
Modified: 2024-10-22T14:42:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q53j-p6r2-g2v4/GHSA-q53j-p6r2-g2v4.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-q53j-p6r2-g2v4
Finding: F422
Auto approve: 1