VDB
CVE-2020-11652
CVE-2020-11652
PUBLISHED
KEV
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
EPSS 93.68% · 99.9th percentile
Risk Scores
EPSS Score
93.68%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | salt | 2016.11.5+ds-1, 2016.11.8+dfsg1-1, 2017.7.2+dfsg1-2ubuntu1 |
| Ubuntu:16.04:LTS | salt | 0, 2015.5.3+ds-1, 2015.8.1+ds-2 |
| Ubuntu:Pro:14.04:LTS | salt | 0.16.0-1, 0.16.4-2, 0.17.2-1 |
Exploit Intelligence
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
- CVE-2020-11651: Proof of Concept (github-poc-repo)
…and 221 more exploits
Timeline
- Jan 19, 1970 VulnCheck XDB Entry
- Jan 19, 1970 VulnCheck XDB Entry
- Jan 19, 1970 VulnCheck XDB Entry
- Jan 19, 1970 VulnCheck XDB Entry
- Jan 19, 1970 VulnCheck XDB Entry
- Jan 20, 1970 VulnCheck XDB Entry
- Jan 21, 1970 VulnCheck XDB Entry
- Apr 30, 2020 CVE Published
- May 3, 2020 PoC Published
- May 4, 2020 PoC Published
- May 7, 2020 PoC Published
- May 12, 2020 PoC Published
References
- https://ubuntu.com/security/notices/USN-4459-1 vendor-advisory
- https://ubuntu.com/security/CVE-2020-11652 third-party-advisory
- https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst third-party-advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html third-party-advisory
- https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-11652 third-party-advisory
- https://ubuntu.com/security/notices/USN-6849-1 vendor-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory
- Multiples vulnérabilités dans SaltStack advisory