An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
CVSS Details
- CVSS 3.1 Base Score: 9.8
- CVSS 3.1 Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Covered by Rapid7
| Product | Vendor Advisory | Solution File | Added | Published |
|---|---|---|---|---|
| Alpine Linux | alpine-linux-upgrade-salt | Aug 22, 2024 | Nov 6, 2020 | |
| Arch Linux | arch-linux-upgrade-latest | Jul 11, 2025 | Nov 6, 2020 | |
| Debian | debian-upgrade-salt | Dec 7, 2020 | Nov 6, 2020 | |
| Freebsd | freebsd-upgrade-package-py36-saltfreebsd-upgrade-package-py37-saltfreebsd-upgrade-package-py38-salt | Nov 13, 2020 | Nov 12, 2020 | |
| Gentoo Linux | gentoo-linux-upgrade-app-admin-salt | Nov 12, 2020 | Nov 6, 2020 | |
| Saltstack | — | saltstack-upgrade-latest-version | Nov 11, 2020 | Nov 3, 2020 |
| Suse | — | suse-upgrade-koansuse-upgrade-mgr-daemonsuse-upgrade-python2-saltsuse-upgrade-python2-spacewalk-checksuse-upgrade-python2-spacewalk-client-setupsuse-upgrade-python2-spacewalk-client-toolssuse-upgrade-python3-saltsuse-upgrade-saltsuse-upgrade-salt-apisuse-upgrade-salt-bash-completionsuse-upgrade-salt-cloudsuse-upgrade-salt-docsuse-upgrade-salt-fish-completionsuse-upgrade-salt-mastersuse-upgrade-salt-minionsuse-upgrade-salt-proxysuse-upgrade-salt-sshsuse-upgrade-salt-standalone-formulas-configurationsuse-upgrade-salt-syndicsuse-upgrade-salt-zsh-completionsuse-upgrade-spacecmdsuse-upgrade-spacewalk-checksuse-upgrade-spacewalk-client-setupsuse-upgrade-spacewalk-client-tools | Nov 6, 2020 | Nov 4, 2020 |
| Ubuntu | ubuntu-pro-upgrade-salt-commonubuntu-pro-upgrade-salt-masterubuntu-pro-upgrade-salt-minionubuntu-pro-upgrade-salt-sshubuntu-pro-upgrade-salt-syndic | Aug 9, 2024 | Nov 6, 2020 |
Prioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub