CVE-2020-16846

Advisory

An issue was discovered in SaltStack Salt affected versions. With the SSH client enabled, sending crafted web requests to the Salt API can result in shell injection.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========

Fixed
-----

- Prevent shell injections in netapi ssh client (cve-2020-16846)
- Prevent creating world readable private keys with the tls execution module. (cve-2020-17490)

Resources

• https://github.com/saltstack/salt/pull/58871/commits/a553580971ffe08bc9c684a5071c43d3708f0ad6
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16846
• https://github.com/saltstack/salt/releases
• https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/
• http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html
• https://security.gentoo.org/glsa/202011-13
• http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html
• https://www.zerodayinitiative.com/advisories/ZDI-20-1380/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1379/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1383/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1381/
• https://www.zerodayinitiative.com/advisories/ZDI-20-1382/
• https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html
• https://www.debian.org/security/2021/dsa-4837
• https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html
• https://github.com/saltstack/salt/commit/812ebd3038ba1816731b5cc80e872dc330e5d81e