CVE-2019-17361 log

Severity Medium
Remote Yes
Type Arbitrary command execution
With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
Group Package Affected Fixed Severity Status Ticket
AVG-1087 salt 2019.2.2-1 2019.2.3-1 Medium Fixed
Date Advisory Group Package Severity Description
29 Jan 2020 ASA-202001-7 AVG-1087 salt Medium arbitrary command execution
This is technically both an auth bypass and a RCE. I opted for RCE as this seems to be the more impactful one