Log

AVG-1087 edited at 16 Jan 2020 20:43:08
Severity
- Unknown
+ Medium
CVE-2019-17361 edited at 16 Jan 2020 20:43:08
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary command execution
Description
+ With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options.
References
Notes
+ This is technically both an auth bypass and a RCE. I opted for RCE as this seems to be the more impactful one
AVG-1087 created at 16 Jan 2020 20:41:53
Packages
+ salt
Issues
+ CVE-2019-17361
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 2019.2.2-1
Fixed
Ticket
Advisory qualified
+ Yes
References
+ https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
Notes
CVE-2019-17361 created at 16 Jan 2020 20:41:53
AVG-1029 edited at 15 Jan 2020 07:44:18
Status
- Testing
+ Fixed
ASA-202001-4 edited at 14 Jan 2020 19:18:13
CVE-2019-13755 edited at 14 Jan 2020 08:13:40
Type
- Unknown
+ Access restriction bypass
AVG-1086 edited at 14 Jan 2020 08:05:52
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/
AVG-1077 edited at 14 Jan 2020 08:04:24
Status
- Vulnerable
+ Fixed
Fixed
+ 3.4.3-1
Advisory qualified
- Yes
+ No
AVG-1029 edited at 14 Jan 2020 08:03:51
Status
- Vulnerable
+ Testing
Fixed
+ 14.2.6-1
AVG-1070 edited at 14 Jan 2020 08:03:34
Status
- Vulnerable
+ Fixed
Fixed
+ 2.2.9-1
AVG-1070 edited at 14 Jan 2020 08:03:06
Advisory qualified
- Yes
+ No