← Voltar para CVEs
CVE-2020-16846
CRITICALCISA KEV9.8
Descricao
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado11/6/2020
Ultima modificacao11/7/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorSaltStack
ProdutoSalt
Nome da vulnerabilidadeSaltStack Salt Shell Injection Vulnerability
Data inclusao KEV2021-11-03
Prazo de remediacao2022-05-03
Uso em ransomwareUnknown
Produtos afetados
debian:debian_linuxfedoraproject:fedoraopensuse:leapsaltstack:salt
Fraquezas (CWE)
CWE-78CWE-78
Referencias
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html(cve@mitre.org)
https://github.com/saltstack/salt/releases(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/(cve@mitre.org)
https://security.gentoo.org/glsa/202011-13(cve@mitre.org)
https://www.debian.org/security/2021/dsa-4837(cve@mitre.org)
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/(cve@mitre.org)
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/(cve@mitre.org)
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/saltstack/salt/releases(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202011-13(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4837(af854a3a-2127-422b-91ae-364da2661108)
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/(af854a3a-2127-422b-91ae-364da2661108)
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.