CVE-2020-16846 – salt

Package

Manager: pip
Name: salt
Vulnerable Version: >=0 <2015.8.13 || >=2016.3.0 <2016.3.8 || >=2016.11.0 <2016.11.10 || >=2017.5.0 <2017.7.8 || >=2018.2.0 <2018.3.5 || >=2019.2.0 <2019.2.6 || >=3000.0 <3000.4 || >=3001 <3001.2 || >=3002 <3002.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94387 pctl0.99967

Details

SaltStack Salt Command Injection in netapi ssh client An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Metadata

Created: 2022-05-24T17:33:18Z
Modified: 2024-10-22T14:53:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qr38-h96j-2j3w/GHSA-qr38-h96j-2j3w.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-qr38-h96j-2j3w
Finding: F404
Auto approve: 1