CVE-2019-17361: SaltStack Salt is vulnerable to command injection

May 24, 2022 (updated October 22, 2024)

In SaltStack Salt before 2019.2.3, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.

References

docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
github.com/advisories/GHSA-q53j-p6r2-g2v4
github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-177.yaml
github.com/saltstack/salt
nvd.nist.gov/vuln/detail/CVE-2019-17361
usn.ubuntu.com/4459-1
www.debian.org/security/2020/dsa-4676

Code Behaviors & Features

Detect and mitigate CVE-2019-17361 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →