CVE-2020-16846

Exp

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Published: 2020-11-06 Last update: 2025-11-07 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-16846 is rated Critical Active Threat (99.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 94.39%, 100th percentile). CISA KEV confirms active exploitation (added 2021-11-03) affecting SaltStack / Salt. a weakness (CWE-78) Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2020-16846

Name: SaltStack Salt Shell Injection Vulnerability · CISA KEV detail

Exploit added: 2021-11-03

Action due: 2022-05-03

Required action: Apply updates per vendor instructions.

Public exploit references (Exploit-DB) for CVE-2020-16846

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2020-16846

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 94.22% 94.39% +0.17%
2 2025-11-18 94.39% 94.22% -0.17%
3 2025-03-17 94.39%

Full EPSS history (14 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-16846

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2020-16846

GitHub Security Advisory for CVE-2020-16846

GHSA-qr38-h96j-2j3w · Severity: critical · Ecosystem: pip — SaltStack Salt Command Injection in netapi ssh client

OS Trackers for CVE-2020-16846

vendor priority summary link
alpine CVE-2020-16846: 1 source package rows (salt); 11 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 4. https://security.alpinelinux.org/vuln/CVE-2020-16846
gentoo normal CVE-2020-16846: 1 GLSA(s) (202011-13), 1 atom(s) (app-admin/salt); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-16846
redhat high https://access.redhat.com/security/cve/CVE-2020-16846
suse critical CVE-2020-16846 severity critical: SUSE including 245 source package names (bind-formula-0.1.1603299886.60e4bcf-3.3.2, grafana-formula-0.3.0-3.3.2, …), 353 product×package rows across 51 product lines (Image SLES12-SP5-Azure-BYOS, Image SLES12-SP5-Azure-HPC-BYOS, … (51 product lines)): Fixed 352, Known Not Affected 1. https://www.suse.com/security/cve/CVE-2020-16846/
ubuntu high CVE-2020-16846 high priority: Ubuntu including 1 source packages (salt), 14 status rows across 14 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, trusty, upstream, xenial): DNE 5, ignored 4, released 4, not-affected 1. https://ubuntu.com/security/CVE-2020-16846

Affected software / configurations for CVE-2020-16846

Vendor Product Version Raw CPE
saltstack salt < 2015.8.10 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2015.8.11, < 2015.8.13 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.3.0, < 2016.3.4 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.3.5, < 2016.3.6 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.3.7, < 2016.3.8 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.11.0, < 2016.11.3 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.11.4, < 2016.11.6 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2016.11.7, < 2016.11.10 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2017.5.0, < 2017.7.4 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2017.7.5, < 2017.7.8 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2018.2.0, < 2018.3.5 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 2019.2.0, < 2019.2.5 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt >= 3000.0, < 3000.3 cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
saltstack salt 3001 cpe:2.3:a:saltstack:salt:3001:*:*:*:*:*:*:*
saltstack salt 3002 cpe:2.3:a:saltstack:salt:3002:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
fedoraproject fedora 31 cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
opensuse leap 15.1 cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

References for CVE-2020-16846

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html Mailing List Third Party Advisory
http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html Exploit Third Party Advisory VDB Entry
https://github.com/saltstack/salt/releases Release Notes
https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/ Release Notes
https://security.gentoo.org/glsa/202011-13 Third Party Advisory
https://www.debian.org/security/2021/dsa-4837 Mailing List Third Party Advisory
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ Broken Link Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-1379/ Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-1380/ Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-1381/ Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-1382/ Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-1383/ Third Party Advisory VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846 US Government Resource
cvelogic Threat Intelligence