CVE-2019-1010259

Name of the Vulnerable Software and Affected Versions: SaltStack Salt versions 2018.3 through 2018.3.3 SaltStack Salt version 2019.2

Description: The issue allows an attacker to escalate privileges on a MySQL server deployed by a cloud provider, leading to remote code execution (RCE). This is achieved through a SQL injection attack using a specially crafted password string. The vulnerable component is the mysql.user chpass function from the MySQL module for Salt.

Recommendations: For SaltStack Salt versions 2018.3 through 2018.3.3, update to version 2018.3.4 to resolve the issue. For SaltStack Salt version 2019.2, update to a version that includes the fix for this issue, as the specific fixed version for 2019.2 is not provided. As a temporary workaround, consider restricting the use of the mysql.user chpass function until a patch is available.