Critical severityCISA KEVNVD Advisory· Published Nov 6, 2020· Updated Oct 21, 2025
CVE-2020-16846
CVE-2020-16846
Description
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 2015.8.13 | 2015.8.13 |
saltPyPI | >= 2016.3.0, < 2016.3.8 | 2016.3.8 |
saltPyPI | >= 2016.11.0, < 2016.11.10 | 2016.11.10 |
saltPyPI | >= 2017.5.0, < 2017.7.8 | 2017.7.8 |
saltPyPI | >= 2018.2.0, < 2018.3.5 | 2018.3.5 |
saltPyPI | >= 2019.2.0, < 2019.2.6 | 2019.2.6 |
saltPyPI | >= 3000.0, < 3000.4 | 3000.4 |
saltPyPI | >= 3001, < 3001.2 | 3001.2 |
saltPyPI | >= 3002, < 3002.1 | 3002.1 |
Affected products
1- SaltStack/SaltStack Saltdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
29- lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-qr38-h96j-2j3wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-16846ghsaADVISORY
- security.gentoo.org/glsa/202011-13ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4837ghsavendor-advisoryx_refsource_DEBIANWEB
- packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.htmlghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2020-104.yamlghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/2019.2.6.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3000.4.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3001.2.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.1.rstghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2022/01/msg00000.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMAghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cvesghsaWEB
- www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/mitrex_refsource_CONFIRM
- www.zerodayinitiative.com/advisories/ZDI-20-1379ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-1379/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1380ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-1380/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1381ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-1381/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1382ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-1382/mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-20-1383ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-1383/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.