Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708710 (CVE-2019-17361) - app-admin/salt: arbitrary command execution (CVE-2019-17361)
Summary: app-admin/salt: arbitrary command execution (CVE-2019-17361)
Status: RESOLVED FIXED
Alias: CVE-2019-17361
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: ~1 [cleanup cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-08 12:38 UTC by filip ambroz
Modified: 2020-05-01 02:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-08 12:38:41 UTC
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

References:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17361
https://nvd.nist.gov/vuln/detail/CVE-2019-17361
https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
Comment 1 Sam James archtester gentoo-dev Security 2020-03-19 05:23:51 UTC
@maintainer(s), please cleanup