CVE-2020-16846

Description

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

How to fix CVE-2020-16846

To remediate CVE-2020-16846, upgrade the affected package to a fixed version below.

• Debian/salt—upgrade to 2016.11.2+ds-1+deb9u6 or later
• —upgrade to 2018.3.4+dfsg1-6+deb10u2 or later
• —upgrade to 2015.8.13 or later
• —upgrade to 2015.8.10 or later

Is CVE-2020-16846 being exploited?

Yes — CVE-2020-16846 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (4)

• from 0, < 2016.11.2+ds-1+deb9u6
• from 0, < 2018.3.4+dfsg1-6+deb10u2
• from 0, < 2015.8.13
• from 0, < 2015.8.10, >= 2015.8.11, < 2015.8.13, >= 2016.3.0, < 2016.3.4, >= 2016.3.5, < 2016.3.6, >= 2016.3.7, < 2016.3.8, >= 2016.11.0, < 2016.11.3, >= 2016.11.4, < 2016.11.6, >= 2016.11.7, < 2016.11.10, >= 2017.7.0, < 2017.7.4, >= 2017.7.5, < 2017.7.8, >= 2018.3.0rc1, < 2018.3.5, >= 2019.2.0, < 2019.2.5, >= 3000, < 3000.3

CVSS scores

References (31)

• ADVISORYgithub.com/advisories/GHSA-qr38-h96j-2j3w
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-16846
• ADVISORYwww.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
• ADVISORYwww.zerodayinitiative.com/advisories/ZDI-20-1379/