CVE-2020-16846 Information

Description

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API with the SSH client enabled can result in shell injection.

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html https://github.com/saltstack/salt/releases https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/ https://security.gentoo.org/glsa/202011-13 https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/