Arch Linux: 202001-7 Medium: Salt Arbitrary Command Execution
Feb 04, 2020 • 
LinuxSecurity Advisories 1 min read
The package salt before version 2019.2.3-1 is vulnerable to arbitrary command execution.
Arch Linux Security Advisory ASA-202001-7 ======================================== Severity: Medium Date : 2020-01-29 CVE-ID : CVE-2019-17361 Package : salt Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1087 Summary ====== The package salt before version 2019.2.3-1 is vulnerable to arbitrary command execution. Resolution ========= Upgrade to 2019.2.3-1. # pacman -Syu "salt>=2019.2.3-1" The problem has been fixed upstream in version 2019.2.3. Workaround ========= None. Description ========== With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options. Impact ===== A remote unauthenticated attacker is able to execute arbitrary code on the affected host. References ========= https://docs.saltproject.io/en/latest/topics/releases/2019.2.3.html https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387 https://security.archlinux.org/CVE-2019-17361
PREVIOUS 
NEXT Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!