cbcvebase.
CVE-2020-16846
published 2020-11-06

CVE-2020-16846: An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.59%
99.9th percentile
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Affected

43 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
opensuseleap
saltstacksalt< 2015.8.102015.8.10
saltstacksalt
saltstacksalt
saltstacksalt>= 0 < 2015.8.132015.8.13
saltstacksalt>= 0 < 2015.8.102015.8.10
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.1+esm22015.8.8+ds-1ubuntu0.1+esm2
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm12017.7.4+dfsg1-1ubuntu18.04.2+esm1
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2016.11.0 < 2016.11.32016.11.3
saltstacksalt>= 2016.11.0 < 2016.11.102016.11.10
saltstacksalt>= 2016.11.0 < 2016.11.32016.11.3
saltstacksalt>= 2016.11.4 < 2016.11.62016.11.6
saltstacksalt>= 2016.11.4 < 2016.11.62016.11.6
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.0 < 2016.3.82016.3.8
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6

Detection & IOCsextracted from sources · hover to see the quote

othertoken=1337&client=ssh&tgt=*&fun=a&roster={{roaster}}&ssh_priv={{priv}}
path/salt/client/ssh/shell.py
  • Alert on POST /run requests where the body contains client=ssh combined with any of the injectable parameters: ssh_priv, ssh_user, ssh_port, ssh_remote_port_forwards, or ssh_options containing shell metacharacters.
  • Identify Salt API responses with HTTP 500 status, 'application/json' Content-Type header, and body containing 'An unexpected error occurred' as a sign of exploitation probe activity against CVE-2020-16846.
  • Ensure the Content-Type: application/x-www-form-urlencoded header is present in exploit traffic; CherryPy aborts requests without it, so its presence alongside client=ssh is a strong exploit signal.
  • ·The rest-cherrypy netapi module is NOT enabled by default; the vulnerability is only exploitable if the module has been explicitly configured in /etc/salt/master.
  • ·The vulnerability specifically requires the SSH client to be enabled on the Salt API; deployments without salt-ssh configured are not affected via this attack path.
  • ·This CVE is listed in CISA KEV with a remediation due date of 2022-05-03, confirming active exploitation in the wild; treat all unpatched Salt API instances as actively targeted.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.