← Zuruck zu CVEs
CVE-2020-16846
CRITICALCISA KEV9.8
Beschreibung
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht11/6/2020
Zuletzt geandert11/7/2025
Quellekev
Honeypot-Sichtungen0
CISA KEV
HerstellerSaltStack
ProduktSalt
SchwachstellennameSaltStack Salt Shell Injection Vulnerability
KEV Aufnahmedatum2021-11-03
Behebungsfrist2022-05-03
Ransomware-NutzungUnknown
Betroffene Produkte
debian:debian_linuxfedoraproject:fedoraopensuse:leapsaltstack:salt
Schwachen (CWE)
CWE-78CWE-78
Referenzen
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html(cve@mitre.org)
https://github.com/saltstack/salt/releases(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/(cve@mitre.org)
https://security.gentoo.org/glsa/202011-13(cve@mitre.org)
https://www.debian.org/security/2021/dsa-4837(cve@mitre.org)
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/(cve@mitre.org)
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/saltstack/salt/releases(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202011-13(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4837(af854a3a-2127-422b-91ae-364da2661108)
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.