The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1933324]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.