FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

salt -- salt-api vulnerability

Affected packages
py27-salt < 2019.2.3
py32-salt < 2019.2.3
py33-salt < 2019.2.3
py34-salt < 2019.2.3
py35-salt < 2019.2.3
py36-salt < 2019.2.3
py37-salt < 2019.2.3
py38-salt < 2019.2.3

Details

VuXML ID 8c98e643-6008-11ea-af63-38d547003487
Discovery 2020-01-15
Entry 2020-03-07

SaltStack reports:

With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH.

Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.

References

CVE Name CVE-2019-17361
URL https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
URL https://nvd.nist.gov/vuln/detail/CVE-2019-17361