{"api_version":"1","generated_at":"2026-04-23T09:38:57+00:00","cve":"CVE-2020-16846","urls":{"html":"https://cve.report/CVE-2020-16846","api":"https://cve.report/api/cve/CVE-2020-16846.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-16846","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-16846"},"summary":{"title":"CVE-2020-16846","description":"An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-11-06 08:15:00","updated_at":"2023-11-07 03:19:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html","name":"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"SaltStack Salt REST API Arbitrary Command Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html","name":"[debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2480-2] salt regression update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1379/","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1379/","refsource":"MISC","tags":[],"title":"ZDI-20-1379 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/saltstack/salt/releases","name":"https://github.com/saltstack/salt/releases","refsource":"MISC","tags":["Third Party Advisory"],"title":"Releases · saltstack/salt · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html","name":"[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2480-1] salt security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1383/","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1383/","refsource":"MISC","tags":[],"title":"ZDI-20-1383 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1381/","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1381/","refsource":"MISC","tags":[],"title":"ZDI-20-1381 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2021/dsa-4837","name":"DSA-4837","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4837-1 salt","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/","name":"FEDORA-2020-9e040bd6dd","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 31 Update: salt-3001.3-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1382/","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1382/","refsource":"MISC","tags":[],"title":"ZDI-20-1382 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/","name":"FEDORA-2020-9e040bd6dd","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: salt-3001.3-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1380/","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1380/","refsource":"MISC","tags":[],"title":"ZDI-20-1380 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202011-13","name":"GLSA-202011-13","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"Salt: Multiple vulnerabilities (GLSA 202011-13) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html","name":"openSUSE-SU-2020:1868","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2020:1868-1: critical: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/","name":"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Active SaltStack CVEs Announced 11/3/20 – Salt Project","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-16846","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-16846","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"saltstack","cpe5":"salt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"saltstack","cpe5":"salt","cpe6":"3001","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"saltstack","cpe5":"salt","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"16846","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"saltstack","cpe5":"salt","cpe6":"3001","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2020","cve_id":"16846","cve":"CVE-2020-16846","vendorProject":"SaltStack","product":"Salt","vulnerabilityName":"SaltStack Salt Shell Injection Vulnerability","dateAdded":"2021-11-03","shortDescription":"SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users running the Salt API.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-05-03","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2020-16846","cwes":"CWE-78","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:11"},"epss":{"cve_year":"2020","cve_id":"16846","cve":"CVE-2020-16846","epss":"0.943870000","percentile":"0.999710000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:17"},"legacy_qids":[{"cve":"CVE-2020-16846","qid":"178984","title":"Debian Security Update for salt (DLA 2480-2)"},{"cve":"CVE-2020-16846","qid":"501687","title":"Alpine Linux Security Update for salt"},{"cve":"CVE-2020-16846","qid":"505397","title":"Alpine Linux Security Update for salt"},{"cve":"CVE-2020-16846","qid":"690359","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for salt (50259d8b-243e-11eb-8bae-b42e99975750)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-16846","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/saltstack/salt/releases","refsource":"MISC","name":"https://github.com/saltstack/salt/releases"},{"refsource":"CONFIRM","name":"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/","url":"https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/"},{"refsource":"FEDORA","name":"FEDORA-2020-9e040bd6dd","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1868","url":"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html"},{"refsource":"GENTOO","name":"GLSA-202011-13","url":"https://security.gentoo.org/glsa/202011-13"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html","url":"http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1381/","url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1381/"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1383/","url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1383/"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1380/","url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1380/"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1379/","url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1379/"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-20-1382/","url":"https://www.zerodayinitiative.com/advisories/ZDI-20-1382/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20201204 [SECURITY] [DLA 2480-1] salt security update","url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html"},{"refsource":"DEBIAN","name":"DSA-4837","url":"https://www.debian.org/security/2021/dsa-4837"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220103 [SECURITY] [DLA 2480-2] salt regression update","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html"}]}},"nvd":{"publishedDate":"2020-11-06 08:15:00","lastModifiedDate":"2023-11-07 03:19:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2019.2.0","versionEndExcluding":"2019.2.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"3000.0","versionEndExcluding":"3000.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2018.2.0","versionEndExcluding":"2018.3.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.3.7","versionEndExcluding":"2016.3.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2017.7.5","versionEndExcluding":"2017.7.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2017.5.0","versionEndExcluding":"2017.7.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.11.7","versionEndExcluding":"2016.11.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.11.4","versionEndExcluding":"2016.11.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.11.0","versionEndExcluding":"2016.11.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.3.5","versionEndExcluding":"2016.3.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2015.8.11","versionEndExcluding":"2015.8.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionStartIncluding":"2016.3.0","versionEndExcluding":"2016.3.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*","versionEndExcluding":"2015.8.10","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"16846","Ordinal":"178255","Title":"CVE-2020-16846","CVE":"CVE-2020-16846","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"16846","Ordinal":"1","NoteData":"An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"16846","Ordinal":"2","NoteData":"2020-11-06","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"16846","Ordinal":"3","NoteData":"2022-01-03","Type":"Other","Title":"Modified"}]}}}