An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
Published 2020-04-30 17:15:12
Updated 2022-05-03 14:21:49
Source MITRE
View at NVD,   CVE.org
Vulnerability category: Directory traversal

Products affected by CVE-2020-11652

CVE-2020-11652 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
SaltStack Salt Path Traversal Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-11652
Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2020-11652

97.14%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-11652

  • SaltStack Salt Master Server Root Key Disclosure
    Disclosure Date: 2020-04-30
    First seen: 2020-05-14
    auxiliary/gather/saltstack_salt_root_key
    This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands t
  • SaltStack Salt Master/Minion Unauthenticated RCE
    Disclosure Date: 2020-04-30
    First seen: 2020-05-14
    exploit/linux/misc/saltstack_salt_unauth_rce
    This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minio

CVSS scores for CVE-2020-11652

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
4.0
MEDIUM AV:N/AC:L/Au:S/C:P/I:N/A:N
8.0
2.9
NIST
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.8
3.6
NIST

CWE ids for CVE-2020-11652

  • The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-11652

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!