CVE-2020-16846
published 2020-11-06CVE-2020-16846: An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.59%
99.9th percentile
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Affected
43 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| opensuse | leap | — | — |
| saltstack | salt | < 2015.8.10 | 2015.8.10 |
| saltstack | salt | — | — |
| saltstack | salt | — | — |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 2015.8.10 | 2015.8.10 |
| saltstack | salt | >= 0 < 2015.8.8+ds-1ubuntu0.1+esm2 | 2015.8.8+ds-1ubuntu0.1+esm2 |
| saltstack | salt | >= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 | 2017.7.4+dfsg1-1ubuntu18.04.2+esm1 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2015.8.11 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.0 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.0 < 2016.11.3 | 2016.11.3 |
| saltstack | salt | >= 2016.11.4 < 2016.11.6 | 2016.11.6 |
| saltstack | salt | >= 2016.11.4 < 2016.11.6 | 2016.11.6 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.0 < 2016.3.8 | 2016.3.8 |
| saltstack | salt | >= 2016.3.0 < 2016.3.4 | 2016.3.4 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
| saltstack | salt | >= 2016.3.5 < 2016.3.6 | 2016.3.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on POST /run requests where the body contains client=ssh combined with any of the injectable parameters: ssh_priv, ssh_user, ssh_port, ssh_remote_port_forwards, or ssh_options containing shell metacharacters. ↗
- →Identify Salt API responses with HTTP 500 status, 'application/json' Content-Type header, and body containing 'An unexpected error occurred' as a sign of exploitation probe activity against CVE-2020-16846. ↗
- →Ensure the Content-Type: application/x-www-form-urlencoded header is present in exploit traffic; CherryPy aborts requests without it, so its presence alongside client=ssh is a strong exploit signal. ↗
- ·The rest-cherrypy netapi module is NOT enabled by default; the vulnerability is only exploitable if the module has been explicitly configured in /etc/salt/master. ↗
- ·The vulnerability specifically requires the SSH client to be enabled on the Salt API; deployments without salt-ssh configured are not affected via this attack path. ↗
- ·This CVE is listed in CISA KEV with a remediation due date of 2022-05-03, confirming active exploitation in the wild; treat all unpatched Salt API instances as actively targeted. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Salt vulnerability
vendor_ubuntu·2025-01-06
CVE-2020-16846 Salt vulnerability
Title: Salt vulnerability
Summary: Salt could be made to crash or run programs if it received specially
crafted network traffic.
It was discovered that Salt incorrectly handled web requests when the SSH
client was enabled. An attacker could possibly use this issue to achieve
remote code execution or obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Salt vulnerabilities
vendor_ubuntu·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] Salt vulnerabilities
Title: Salt vulnerabilities
Summary: Several security issues were fixed in Salt.
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates.
CISA
SaltStack Salt Shell Injection Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-16846 [CRITICAL] CWE-78 SaltStack Salt Shell Injection Vulnerability
Vulnerability: SaltStack Salt Shell Injection Vulnerability
Affected: SaltStack Salt
SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-16846
Remediation Due Date: 2022-05-03
Red Hat
salt: sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection
vendor_redhat·2020-11-03·CVSS 9.8
CVE-2020-16846 [CRITICAL] CWE-78 salt: sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection
salt: sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
A flaw was found in salt. A shell injection vulnerability was found where an unauthenticated user with network access to the Salt API can use shell injections to run code on the Salt-API using the SSH client. An attacker could use this flaw to cause a denial of service, information disclosure, or privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Red Hat Ceph Storage 2 shipped salt for the usage of Red Hat Storage Console
OSV
salt vulnerabilities
osv·2024-08-08·CVSS 9.8
CVE-2020-16846 [CRITICAL] salt vulnerabilities
salt vulnerabilities
It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)
It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)
It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)
It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)
It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a t
GHSA
SaltStack Salt Command Injection in netapi ssh client
ghsa·2022-05-24
CVE-2020-16846 [CRITICAL] CWE-78 SaltStack Salt Command Injection in netapi ssh client
SaltStack Salt Command Injection in netapi ssh client
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
OSV
SaltStack Salt Command Injection in netapi ssh client
osv·2022-05-24
CVE-2020-16846 [CRITICAL] SaltStack Salt Command Injection in netapi ssh client
SaltStack Salt Command Injection in netapi ssh client
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
OSV
CVE-2020-16846: An issue was discovered in SaltStack Salt through 3002
osv·2020-11-06
CVE-2020-16846 CVE-2020-16846: An issue was discovered in SaltStack Salt through 3002
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
VulnCheck
SaltStack Salt Shell Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-16846 [CRITICAL] CWE-78 SaltStack Salt Shell Injection Vulnerability
SaltStack Salt Shell Injection Vulnerability
SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.
Affected: SaltStack Salt
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&hos
Suricata
ET EXPLOIT SaltStack Salt Exploitation Inbound M2 (CVE-2020-16846)
suricata·2025-03-03·CVSS 9.8
CVE-2020-16846 [CRITICAL] ET EXPLOIT SaltStack Salt Exploitation Inbound M2 (CVE-2020-16846)
ET EXPLOIT SaltStack Salt Exploitation Inbound M2 (CVE-2020-16846)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound M2 (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"ssh_port="; fast_pattern; pcre:"/^[^&]+\x2f/R"; content:"|22|client|22|"; content:"|22|ssh|22|"; within:8; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2060514; rev:1; metadata:attack_target Server, created_at 2025_03_03, cve CVE_2020_16846, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Expl
Suricata
ET EXPLOIT SaltStack Salt Exploitation Inbound M4 (CVE-2020-16846)
suricata·2025-03-03·CVSS 9.8
CVE-2020-16846 [CRITICAL] ET EXPLOIT SaltStack Salt Exploitation Inbound M4 (CVE-2020-16846)
ET EXPLOIT SaltStack Salt Exploitation Inbound M4 (CVE-2020-16846)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound M4 (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"|22|ssh_port|22|"; fast_pattern; content:"|22|"; within:4; pcre:"/^[^\x22]+\x2f/R"; content:"|22|client|22|"; content:"|22|ssh|22|"; within:8; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2060516; rev:1; metadata:attack_target Server, created_at 2025_03_03, cve CVE_2020_16846, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit,
Suricata
ET EXPLOIT SaltStack Salt Exploitation Inbound M3 (CVE-2020-16846)
suricata·2025-03-03·CVSS 9.8
CVE-2020-16846 [CRITICAL] ET EXPLOIT SaltStack Salt Exploitation Inbound M3 (CVE-2020-16846)
ET EXPLOIT SaltStack Salt Exploitation Inbound M3 (CVE-2020-16846)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound M3 (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"|22|client|22|"; content:"|22|ssh|22|"; within:8; content:"|22|ssh_priv|22|"; fast_pattern; content:"|22 7c|"; within:5; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2060515; rev:1; metadata:attack_target Server, created_at 2025_03_03, cve CVE_2020_16846, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updat
Suricata
ET EXPLOIT SaltStack Salt Exploitation Inbound M1 (CVE-2020-16846)
suricata·2021-01-07·CVSS 9.8
CVE-2020-16846 [CRITICAL] ET EXPLOIT SaltStack Salt Exploitation Inbound M1 (CVE-2020-16846)
ET EXPLOIT SaltStack Salt Exploitation Inbound M1 (CVE-2020-16846)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound M1 (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Gene
Nuclei
SaltStack <=3002 - Shell Injection
nuclei·CVSS 9.8
CVE-2020-16846 [CRITICAL] SaltStack <=3002 - Shell Injection
SaltStack =3003) to mitigate this vulnerability.
reference:
- https://saltproject.io/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
- https://nvd.nist.gov/vuln/detail/CVE-2020-16846
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-16846
cwe-id: CWE-78
epss-score: 0.94387
epss-percentile: 0.99972
cpe: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: saltstack
product: salt
tags: cve2020,cve,vulhub,saltstack,kev,vkev,vuln
variables:
priv: "{{to_lower(rand_text_alpha(5))}}"
roaster: "{{to_lower(r
Metasploit
SaltStack Salt REST API Arbitrary Command Execution
metasploit
SaltStack Salt REST API Arbitrary Command Execution
SaltStack Salt REST API Arbitrary Command Execution
This module exploits an authentication bypass and command injection in SaltStack Salt's REST API to execute commands as the root user. The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4, 3001.1, 3001.2, and 3002. Tested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1.
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
# Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative
2020/11/24
Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy netapi
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
## Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative Nov 24, 2020 Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy neta
Trendmicro
Detailing SaltStack Salt Command Injection Vulnerabilities
blogs_trendmicro·2020-11-24
Detailing SaltStack Salt Command Injection Vulnerabilities
## Detailing SaltStack Salt Command Injection Vulnerabilities
This post details the SaltStack Salt command injection vulnerabilities.
By: Zero Day Initiative 2020/11/24 Read time: ( words)
Save to Folio
On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.
The Vulnerability
The vulnerabilities affect the rest-cherrypy netapi
Tenable
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
blogs_tenable·2020-11-04·CVSS 9.8
[CRITICAL] CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.htmlhttp://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.htmlhttps://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2020/12/msg00007.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/https://security.gentoo.org/glsa/202011-13https://www.debian.org/security/2021/dsa-4837https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/https://www.zerodayinitiative.com/advisories/ZDI-20-1379/https://www.zerodayinitiative.com/advisories/ZDI-20-1380/https://www.zerodayinitiative.com/advisories/ZDI-20-1381/https://www.zerodayinitiative.com/advisories/ZDI-20-1382/https://www.zerodayinitiative.com/advisories/ZDI-20-1383/http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.htmlhttp://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.htmlhttps://github.com/saltstack/salt/releaseshttps://lists.debian.org/debian-lts-announce/2020/12/msg00007.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/https://security.gentoo.org/glsa/202011-13https://www.debian.org/security/2021/dsa-4837https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/https://www.zerodayinitiative.com/advisories/ZDI-20-1379/https://www.zerodayinitiative.com/advisories/ZDI-20-1380/https://www.zerodayinitiative.com/advisories/ZDI-20-1381/https://www.zerodayinitiative.com/advisories/ZDI-20-1382/https://www.zerodayinitiative.com/advisories/ZDI-20-1383/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846
2020-11-06
Published
2021-11-03
Added to CISA KEV
Exploited in the wild