VDB
CVE-2019-1010259
CVE-2019-1010259
PUBLISHED
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
EPSS 0.36% · 58.7th percentile
Risk Scores
EPSS Score
0.36%
58.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | salt | 2015.8.3+ds-3, 2015.8.5+ds-1, 2015.8.7+ds-1 |
| Ubuntu:Pro:18.04:LTS | salt | 2016.11.5+ds-1, 2017.7.2+dfsg1-2ubuntu1, 2017.7.3+dfsg1-1 |
| Ubuntu:Pro:14.04:LTS | salt | 0, 0.16.4-2, 0.17.1+dfsg-1 |
Exploit Intelligence
- https://github.com/saltstack/salt/blob/f22de0887cd7167887f113bf394244b74fb36b6b/salt/modules/mysql.py#L1534 (nist-nvd)
- https://github.com/ShantonRU/salt/commit/a46c86a987c78e74e87969d8d3b27094e6544b7a (circl)
- https://github.com/saltstack/salt/pull/51462 (circl)
- Minions.js (github-poc)
- Minions.js (github-poc)
- Minions.js (github-poc)
- Minions.js (github-poc)
- Minions.js (github-poc)
- Minions.js (github-poc)
- Minions.js (github-poc)
…and 2 more exploits
Timeline
- Jul 18, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-1010259 third-party-advisory
- https://github.com/saltstack/salt/pull/51462 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-1010259 third-party-advisory