// For flags

CVE-2020-11651

SaltStack Salt Authentication Bypass Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

10
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

Se ha descubierto un fallo de salto de archivo en todas las versiones de ansible-engine 2.9.x anteriores a la versión 2.9.7, cuando se ejecuta una instalación de una colección ansible-galaxy. Al extraer un archivo .tar.gz de la colección, el directorio es creado sin sanear el nombre del archivo. Un atacante podría aprovechar para sobrescribir cualquier archivo dentro del sistema.

Saltstack version 3000.1 suffers from a remote code execution vulnerability.

SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some methods without authentication, which can be used to retrieve user tokens from the salt master and/or run commands on salt minions. Salt users who follow fundamental internet security guidelines and best practices are not affected by this vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-04-08 CVE Reserved
  • 2020-04-30 CVE Published
  • 2020-05-04 First Exploit
  • 2021-11-03 Exploited in Wild
  • 2022-05-03 KEV Due Date
  • 2024-08-04 CVE Updated
  • 2024-08-24 EPSS Updated
CWE
CAPEC
References (23)
URL Tag Source
http://www.vmware.com/security/advisories/VMSA-2020-0009.html Third Party Advisory
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html Mailing List
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652
https://www.vmware.com/security/advisories/VMSA-2020-0009.html
https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py
URL Date SRC
https://www.exploit-db.com/exploits/48421 2020-05-05
https://github.com/jasperla/CVE-2020-11651-poc 2020-07-10
https://github.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP 2023-03-21
https://github.com/0xc0d/CVE-2020-11651 2021-07-07
https://github.com/kevthehermit/CVE-2020-11651 2020-05-04
https://github.com/RakhithJK/CVE-2020-11651 2020-05-04
https://github.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652 2020-11-30
https://github.com/hardsoftsecurity/CVE-2020-11651-PoC 2023-12-18
http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html 2024-08-04
http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html 2024-08-04
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html 2022-07-12
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html 2022-07-12
https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html 2022-07-12
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG 2020-04-30
https://usn.ubuntu.com/4459-1 2022-07-12
https://www.debian.org/security/2020/dsa-4676 2022-07-12
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Saltstack
Search vendor "Saltstack"
 Salt
Search vendor "Saltstack" for product "Salt"
 < 2019.2.4
Search vendor "Saltstack" for product "Salt" and version " < 2019.2.4"
-
Affected
Saltstack
Search vendor "Saltstack"
 Salt
Search vendor "Saltstack" for product "Salt"
 >= 3000 < 3000.2
Search vendor "Saltstack" for product "Salt" and version " >= 3000 < 3000.2"
-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Vmware
Search vendor "Vmware"
 Application Remote Collector
Search vendor "Vmware" for product "Application Remote Collector"
 7.5.0
Search vendor "Vmware" for product "Application Remote Collector" and version "7.5.0"
-
Affected
Vmware
Search vendor "Vmware"
 Application Remote Collector
Search vendor "Vmware" for product "Application Remote Collector"
 8.0.0
Search vendor "Vmware" for product "Application Remote Collector" and version "8.0.0"
-
Affected