{"id":"CVE-2019-17361","details":"In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.","aliases":["GHSA-q53j-p6r2-g2v4","PYSEC-2020-177"],"modified":"2026-04-11T12:19:53.526125Z","published":"2020-01-17T02:15:11.493Z","related":["SUSE-RU-2020:0625-1","SUSE-RU-2020:0685-1","SUSE-SU-2020:0538-1","SUSE-SU-2020:0540-1","SUSE-SU-2020:0684-1","openSUSE-SU-2020:0357-1","openSUSE-SU-2024:11364-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"15.1"}],"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00026.html"},{"type":"ADVISORY","url":"https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html#security-fix"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4459-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4676"},{"type":"FIX","url":"https://github.com/saltstack/salt/commits/master"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saltstack/salt","events":[{"introduced":"0"},{"last_affected":"0ca04ffbebb9daeb8469a6e80d868b8a6524bd99"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2019.2.0"}],"cpe":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.10.4","v0.10.5","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16","v0.17","v0.6.0","v0.7.0","v0.8.0","v0.8.7","v0.8.9","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.9","v2014.1","v2014.7","v2015.2","v2015.5","v2015.8","v2016.11","v2016.3","v2016.9","v2017.5","v2017.7","v2018.11","v2018.2","v2018.3","v2019.2","v2019.2.0","v2019.2.0rc1","v2019.2.0rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17361.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}