|Type||Arbitrary command execution|
With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
|29 Jan 2020||ASA-202001-7||AVG-1087||salt||Medium||arbitrary command execution|
This is technically both an auth bypass and a RCE. I opted for RCE as this seems to be the more impactful one