CVE DATABASE  /  CVE-2020-16846

CVE-2020-16846

SaltStack Salt Shell Injection Vulnerability

Summary

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

CVSS 3.1 breakdown

Weakness type (CWE)

• CWE-78

Affected products

References

• http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
• http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html
• https://github.com/saltstack/salt/releases
• https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html
• https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
• https://security.gentoo.org/glsa/202011-13
• https://www.debian.org/security/2021/dsa-4837
• https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1379/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1380/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1381/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1382/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1383/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846

Data: NIST NVD + CISA KEV. NVD last modified 2025-11-07. Always verify against the vendor advisory before acting.