CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly...

Basic Information

CVE State: PUBLISHED
Reserved Date: April 08, 2020
Published Date: April 30, 2020
Last Updated: October 21, 2025
Vendor: SaltStack
Product: Salt
Description: An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2021-11-03 00:00:00 UTC) Source

References

https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html https://www.debian.org/security/2020/dsa-4676 http://www.vmware.com/security/advisories/VMSA-2020-0009.html http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html https://usn.ubuntu.com/4459-1/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb	2025-04-28 15:02:14 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652

Type: github • Created: 2020-11-30 09:23:23 UTC • Stars: 0

Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.

RakhithJK/CVE-2020-11651

Type: github • Created: 2020-05-09 11:22:25 UTC • Stars: 0

PoC for CVE-2020-11651

ssrsec/CVE-2020-11651-CVE-2020-11652-EXP

Type: github • Created: 2020-05-07 09:17:39 UTC • Stars: 24

CVE-2020-11651&&CVE-2020-11652 EXP

kevthehermit/CVE-2020-11651

Type: github • Created: 2020-05-04 20:34:04 UTC • Stars: 6

PoC for CVE-2020-11651

jasperla/CVE-2020-11651-poc

Type: github • Created: 2020-05-04 11:52:28 UTC • Stars: 121

PoC exploit of CVE-2020-11651 and CVE-2020-11652

0xc0d/CVE-2020-11651

Type: github • Created: 2020-05-04 11:47:56 UTC • Stars: 40

CVE-2020-11651: Proof of Concept

Timeline

CVE ID Reserved

April 08, 2020
CVE Published to Public

April 30, 2020
Added to KEVIntel

November 03, 2021
Added to KEVIntel

November 03, 2021
Detected by Metasploit

April 28, 2025