CVE-2019-17361
salt - security update
9.8
CRITICAL
CVSS 3.1
EPSS 17.9%
Description
In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
How to fix CVE-2019-17361
To remediate CVE-2019-17361, upgrade the affected package to a fixed version below.
- Debian/salt—upgrade to 2016.11.2+ds-1+deb9u3 or later
- —upgrade to 2019.2.3 or later
- —upgrade to 2019.2.1 or later
Is CVE-2019-17361 being exploited?
Moderate — EPSS is 17.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2016.11.2+ds-1+deb9u3
- from 0, < 2019.2.3
- from 0, < 2019.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |