Main Vulnerability Database Exploits ID:9448 - Exploit for Improper Authentication in Salt - CVE-2020-11651

ID:9448 - Exploit for Improper Authentication in Salt - CVE-2020-11651

Published: December 19, 2023

Vulnerability identifier: #VU27494

Vulnerability risk: Critical

CVE-ID: CVE-2020-11651

CWE-ID: CWE-287

Exploitation vector: Remote access

Vulnerable software:
Salt

Link to public exploit:

https://github.com/hardsoftsecurity/CVE-2020-11651-PoC

Vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the salt-master process "ClearFuncs" class does not properly validate method calls. A remote non-authenticated attacker can bypass authentication process and gain access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minion as root.

Note: this vulnerability is being actively exploited in the wild.

Remediation

Install updates from vendor's website.

ID:9448 - Exploit for Improper Authentication in Salt - CVE-2020-11651

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human