Skip to main content

Salt CVE-2020-11651

CRITICAL
2020-04-30 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Added to CISA KEV
Jul 14, 2026 - 04:22 CISA
CVE Published
Apr 30, 2020 - 17:15 nvd
CRITICAL 9.8

DescriptionNVD

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

AnalysisAI

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. Affected products include: Saltstack Salt, Opensuse Leap, Debian Debian Linux, Canonical Ubuntu Linux, Vmware Application Remote Collector. Version information: before 2019.2.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Salt

View all
CVE-2021-25281 CRITICAL POC
9.8 Feb 27

An issue was discovered in through SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2020-25592 CRITICAL POC
9.8 Nov 06

In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. Rated critical severity (

CVE-2020-16846 CRITICAL POC
9.8 Nov 06

An issue was discovered in SaltStack Salt through 3002. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2021-25282 CRITICAL POC
9.1 Feb 27

An issue was discovered in through SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2020-11652 MEDIUM POC
6.5 Apr 30

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. Rated medium severity (CVSS 6.5), this

CVE-2021-31607 HIGH POC
7.8 Apr 23

In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for

CVE-2013-6617 CRITICAL
10.0 Nov 05

The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it ea

CVE-2013-4437 CRITICAL
10.0 Nov 05

Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "inse

CVE-2017-12791 CRITICAL
9.8 Aug 23

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.

CVE-2017-14695 CRITICAL
9.8 Oct 24

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8,

CVE-2021-3197 CRITICAL
9.8 Feb 27

An issue was discovered in SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2021-3148 CRITICAL
9.8 Feb 27

An issue was discovered in SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.8), this vulnerability is remot

Share

CVE-2020-11651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy