SaltStack has publicly disclosed 3 vulnerabilities that had been impacting Salt instances for some time. Two of these have been rated as High or Critical.
One of the vulnerabilities is a Shell Injection flaw (CVE-2020-16846) which allows an unauthenticated actor to conduct Remote Code Execution (RCE) attacks on the unpatched Salt instances.
The other two vulnerabilities are an authentication bypass flaw (CVE-2020-25592), and a permissions issue impacting the SSH key files (CVE-2020-17490).
Shortly after disclosure, reports emerged on Twitter, with some users highlighting the “pretty severe” nature of vulnerabilities.
While a heads up was given by SaltStack folks on October 30th, the timing of full disclosure is interesting in how it coincides with the U.S. Election Day, when much distraction is expected, making it an ideal time to deliver unsavory news.
As I had first reported on BleepingComputer, the fix for the shell injection vulnerability CVE-2020-16846 appears to have existed in Salt’s public GitHub repository, since at least August 18th, 2020.
Moreover, some of the Zero-Day Initiative (ZDI) bugs mentioned in the fixes show dates of original vulnerability reports dating back to June, 2020.
The reason behind gaps between different events isn’t entirely clear.
Original vulnerability reports for some CVEs were filed in June via Zero-Day Initiative (and have ZDI identifiers).
GitHub fixes (publicly visible) were made to Salt starting August, but full disclosure and release of patched versions only took place on November 3rd, 2020.
Users should follow the official SaltStack advisory, released November 3rd, for upgrade advice and patches.
Patches for older versions have also been provided via GitLab.
Background photo licensed under CC BY-NC.
In 2021, parking app ParkMobile suffered a massive data breach impacting 22 million users whose…
When I first got into cybersecurity, I thought it was all about hackers in hoodies…
The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…
London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…
WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…
Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…
This website uses cookies.