CVE-2020-16846
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
CISA KEV
- Vendor
- SaltStack
- Product
- Salt
- Due date
- 2022-05-03
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2020-16846
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-16846.html
Exploits
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | salt | <2015.8.13 | 2015.8.13 |
| PyPI | salt | >=2016.3.0,<2016.3.8 | 2016.3.8 |
| PyPI | salt | >=2016.11.0,<2016.11.10 | 2016.11.10 |
| PyPI | salt | >=2017.5.0,<2017.7.8 | 2017.7.8 |
| PyPI | salt | >=2018.2.0,<2018.3.5 | 2018.3.5 |
| PyPI | salt | >=2019.2.0,<2019.2.6 | 2019.2.6 |
| PyPI | salt | >=3000.0,<3000.4 | 3000.4 |
| PyPI | salt | >=3001,<3001.2 | 3001.2 |
| PyPI | salt | >=3002,<3002.1 | 3002.1 |
| PyPI | salt | >=3000,<3000.3 | 2015.8.10 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-16846
- https://www.zerodayinitiative.com/advisories/ZDI-20-1383
- https://www.zerodayinitiative.com/advisories/ZDI-20-1382
- https://www.zerodayinitiative.com/advisories/ZDI-20-1381
- https://www.zerodayinitiative.com/advisories/ZDI-20-1380
- https://www.zerodayinitiative.com/advisories/ZDI-20-1379
- https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves
- https://www.debian.org/security/2021/dsa-4837
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846
- https://security.gentoo.org/glsa/202011-13
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA
- https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html
- https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html
- https://github.com/saltstack/salt/releases
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.1.rst#L12
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.2.rst#L10
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.4.rst#L10
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/2019.2.6.rst#L10
- https://github.com/saltstack/salt
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-104.yaml
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
- http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html
- https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
Verify integrity in audit chain (admin only). AS-IS.