CVE-2020-16846

CRITICAL KEV NUCLEI LAB

SaltStack Salt REST API Arbitrary Command Execution

Title source: metasploit

Description

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Exploits (2)

nomisec WORKING POC

by hamza-boudouche · poc

https://github.com/hamza-boudouche/projet-secu

View Code ZIP pw:eip

nomisec WORKING POC

by zomy22 · poc

https://github.com/zomy22/CVE-2020-16846-Saltstack-Salt-API

View Code ZIP pw:eip

Nuclei Templates (1)

SaltStack <=3002 - Shell Injection

CRITICALby dwisiswant0

References (15)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html

[Release Notes] https://github.com/saltstack/salt/releases

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

[Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/

[Third Party Advisory] https://security.gentoo.org/glsa/202011-13

[Mailing List, Third Party Advisory] https://www.debian.org/security/2021/dsa-4837

[Broken Link, Vendor Advisory] https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-20-1379/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-20-1380/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-20-1381/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-20-1382/

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-20-1383/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846

Scores

CVSS v3 9.8

EPSS 0.9439

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull praqma/network-multitool:alpine-extra

https://github.com/zomy22/CVE-2020-16846-Saltstack-Salt-API

https://github.com/hamza-boudouche/projet-secu

View in Library

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-24

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-0173

CWE

CWE-78

Status published

Products (8)

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 31

opensuse/leap 15.1

pypi/salt 0 - 2015.8.13PyPI

saltstack/salt 3001

saltstack/salt 3002

saltstack/salt < 2015.8.10

Published Nov 06, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026