← back
CVE-2020-11652

CVE-2020-11652

CVSS 6.5 MEDIUMEPSS 86.1%● KEVCWE-22
In short

SaltStack Salt's master process allows authenticated users to access any directory on the server by exploiting improper path validation. This means someone with valid credentials can read or manipulate files they shouldn't have access to.

Technical detail

The ClearFuncs class in salt-master fails to properly sanitize file paths in certain methods, enabling authenticated users to perform directory traversal attacks (CWE-22). An attacker with valid authentication can access arbitrary files and directories on the master system, bypassing intended access restrictions.

Summary generated and translated by AI from the official description.
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/a
public PoCs found6
githubgithub.com/Al1ex/CVE-2020-116526githubgithub.com/limon768/CVE-2020-11652-POC4githubgithub.com/fanjq99/CVE-2020-116520cve_referencepacketstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48421unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.htmlhttp://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.htmlhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.4.htmlhttps://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rsthttps://lists.debian.org/debian-lts-announce/2020/05/msg00027.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AGhttp://support.blackberry.com/kb/articleDetail?articleNumber=000063758https://usn.ubuntu.com/4459-1/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11652https://www.debian.org/security/2020/dsa-4676