Cyber Resilience

CVE-2020-11652

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 30 April 2020

Published
30 April 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9368 99.9th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-11652 is a medium-severity Path Traversal (CWE-22) vulnerability in Debian Debian Linux. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a path traversal flaw, tracked as CWE-22, in the ClearFuncs class of the salt-master process within SaltStack Salt versions prior to 2019.2.4 and 3000 prior to 3000.2. The affected methods fail to properly sanitize paths, enabling arbitrary directory access.

Authenticated users can exploit the issue over the network with low attack complexity to read files from arbitrary directories on the salt-master host, resulting in high confidentiality impact without affecting integrity or availability.

Several vendor advisories reference the issue, including updates from openSUSE and support notices from Blackberry, while public exploit artifacts on Packet Storm describe related remote code execution chains against Salt masters and minions.

The CVSS 3.1 score is 6.5, reflecting the requirement for valid credentials to reach the exposed methods.

EU & UK References

Vulnerability details

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

saltstack
salt
≤ 2019.2.4 · 3000 — 3000.2
opensuse
leap
15.1
debian
debian linux
10.0, 8.0, 9.0
canonical
ubuntu linux
16.04, 18.04
blackberry
workspaces server
9.1.0 · ≤ 7.1.3 · 8.0.0 — 8.2.6
vmware
application remote collector
7.5.0, 8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted path inputs to the ClearFuncs methods, blocking the CWE-22 traversal that permits arbitrary directory reads.

prevent

Enforces authorization checks on every access request to salt-master methods and files, preventing authenticated users from reaching unsanitized directory operations.

prevent

Restricts the set of permitted ClearFuncs methods and file-system privileges granted to authenticated users, limiting the impact of the missing path checks.

References