VDB
CVE-2020-16846
CVE-2020-16846
PUBLISHED
KEV
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
EPSS 94.39% · 100.0th percentile
Risk Scores
EPSS Score
94.39%
100.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | salt | 2015.8.3+ds-3, 2015.8.5+ds-1, 2015.8.8+ds-1 |
| Ubuntu:Pro:18.04:LTS | salt | 2017.7.2+dfsg1-2ubuntu1, 2017.7.3+dfsg1-1, 2017.7.4+dfsg1-1 |
| Ubuntu:Pro:14.04:LTS | salt | 0.16.0-1, 0.17.1+dfsg-1, 0.17.2-1 |
Timeline
- Nov 3, 2020 CVE Published
- Nov 11, 2020 PoC Published
- Nov 12, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Nov 3, 2021 CISA KEV Added
- Nov 8, 2021 PoC Published
- Nov 20, 2021 PoC Published
- Jan 4, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-16846 third-party-advisory
- https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-16846 third-party-advisory
- https://ubuntu.com/security/notices/USN-6948-1 vendor-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory
- https://ubuntu.com/security/notices/USN-7181-1 vendor-advisory