CVE-2020-16846 Scanner
Detects 'Shell Injection' vulnerability in SaltStack Salt affects v. through 3002.
Short Info
Level
Critical
Type
Single Scan
Can be used by
Asset Owner
Estimated Time
30 sec
Scan only one
Url
Parent Category
CVE-2020-16846 Scanner Detail
SaltStack Salt is an open-source software used for configuration management, remote execution, and event-driven automation. It is designed to simplify and streamline IT operations, enabling companies to centrally manage large-scale infrastructure. The software is widely used by IT professionals and developers to manage infrastructure across various platforms and environments. It provides a scalable framework that allows for automation of complex tasks, making IT operations efficient and cost-effective.
One of the vulnerabilities that has been detected in SaltStack Salt is CVE-2020-16846. This vulnerability occurs when a crafted web request is sent to the Salt API while the SSH client is enabled. The vulnerability allows an attacker to inject malicious shell commands that can compromise the entire system. This can lead to the complete takeover of the system, data theft, and unauthorized access to sensitive information.
Exploiting this vulnerability can have serious consequences for an organization. It can lead to data breaches, system crashes, and data loss. Attackers can use malicious shell commands to gain unauthorized access to systems, escalate privileges, and exfiltrate sensitive information. This can lead to financial losses, damage to company reputation, and legal liabilities.
Securityforeveryone.com provides a comprehensive platform that enables IT professionals and developers to discover, assess, and manage vulnerabilities in their digital assets. With its pro features, users can easily and quickly learn about vulnerabilities in their systems, including CVE-2020-16846. By using this platform, organizations can identify potential vulnerabilities and take immediate actions to mitigate them, thereby securing their digital assets and protecting their business interests.
REFERENCES
- https://github.com/saltstack/salt/releases
- https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
- lists.fedoraproject.org: FEDORA-2020-9e040bd6dd
- lists.opensuse.org: openSUSE-SU-2020:1868
- security.gentoo.org: GLSA-202011-13
- http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1381/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1383/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1380/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1379/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1382/
- lists.debian.org: [debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update
- debian.org: DSA-4837
- lists.debian.org: [debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update
control security posture