An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16846
Reference (s):
- https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
- DEBIAN:DSA-4837
- URL: https://www.debian.org/security/2021/dsa-4837
- FEDORA:FEDORA-2020-9e040bd6dd
- URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/