#VU27495 Path traversal in Salt


Published: 2020-05-04 | Updated: 2024-03-22

Vulnerability identifier: #VU27495

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2020-11652

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Salt
Web applications / Remote management & hosting panels

Vendor: SaltStack

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the salt-master process ClearFuncs class. A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Salt: 2019.2 - 2019.2.3, 3000 - 3000.1

External links
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
http://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html
http://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
http://labs.f-secure.com/advisories/saltstack-authorization-bypass

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC VxRail Appliance
SUSE update for salt
SUSE update for salt
OpenSUSE Linux update for salt
SaltStack vulnerabilities in Cisco Modeling Labs and Virtual Internet Routing Lab
Multiple SaltStack Salt vulnerabilities in VMware vRealize Operations Manager
Debian update for salt
Arch Linux update for salt
Path traversal in salt (Alpine package)
Multiple vulnerabilities in SaltStack Salt