CVE-2020-16846 : An issue was discovered in SaltStack Salt through 3002. Sending crafted web requ

Products affected by CVE-2020-16846

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2015.8.11 and before (<) 2015.8.13
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2019.2.0 and before (<) 2019.2.5
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 3000.0 and before (<) 3000.3
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2017.5.0 and before (<) 2017.7.4
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2017.7.5 and before (<) 2017.7.8
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.3.0 and before (<) 2016.3.4
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.11.0 and before (<) 2016.11.3
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2018.2.0 and before (<) 2018.3.5
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.11.4 and before (<) 2016.11.6
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.3.5 and before (<) 2016.3.6
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.3.7 and before (<) 2016.3.8
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions from including (>=) 2016.11.7 and before (<) 2016.11.10
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt
Versions before (<) 2015.8.10
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt » Version: 3001
cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*
Matching versions
Saltstack » Salt » Version: 3002
cpe:2.3:a:saltstack:salt:3002:*:*:*:*:*:*:*
Matching versions

CVE-2020-16846 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

SaltStack Salt Shell Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2020-16846

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2020-16846

EPSS FAQ

94.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-16846

SaltStack Salt REST API Arbitrary Command Execution

Disclosure Date: 2020-11-03

First seen: 2020-11-11

exploit/linux/http/saltstack_salt_api_cmd_exec

This module exploits an authentication bypass and command injection in SaltStack Salt's REST API to execute commands as the root user. The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 201

More information

CVSS scores for CVE-2020-16846

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-16846

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2020-16846

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html

[security-announce] openSUSE-SU-2020:1868-1: critical: Security update f
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/

[SECURITY] Fedora 31 Update: salt-3001.3-1.fc31 - package-announce - Fedora mailing-lists
Release Notes
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

[SECURITY] [DLA 2480-2] salt regression update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/

ZDI-20-1383 | Zero Day Initiative
Third Party Advisory;VDB Entry
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html

[SECURITY] [DLA 2480-1] salt security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/

ZDI-20-1381 | Zero Day Initiative
Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html

SaltStack Salt REST API Arbitrary Command Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/

ZDI-20-1382 | Zero Day Initiative
Third Party Advisory;VDB Entry
https://www.debian.org/security/2021/dsa-4837

Debian -- Security Information -- DSA-4837-1 salt
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/

ZDI-20-1380 | Zero Day Initiative
Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/202011-13

Salt: Multiple vulnerabilities (GLSA 202011-13) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/

Active SaltStack CVEs Announced 11/3/20 | SaltStack
Broken Link;Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/

[SECURITY] Fedora 31 Update: salt-3001.3-1.fc31 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://github.com/saltstack/salt/releases

Releases · saltstack/salt · GitHub
Release Notes

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/

ZDI-20-1379 | Zero Day Initiative
Third Party Advisory;VDB Entry

Vulnerability Details : CVE-2020-16846