CVE-2020-11652 in SaltStack Salt
Summary
by MITRE
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2025
The vulnerability CVE-2020-11652 represents a critical path traversal flaw in SaltStack Salt before versions 2019.2.4 and 3000.2, where the ClearFuncs class in the salt-master process fails to properly sanitize user-provided paths. This security weakness stems from inadequate input validation mechanisms that permit authenticated users to manipulate file system access through specially crafted path parameters. The flaw exists within the master process functionality that handles clear function calls, allowing malicious actors to traverse directories beyond intended boundaries. The vulnerability specifically affects the salt-master daemon's handling of path-based operations, creating an attack surface where authenticated users can exploit improper path sanitization to access arbitrary directories on the system.
This technical flaw falls under the CWE-22 category of Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal. The vulnerability enables authenticated attackers to bypass normal file system access controls by manipulating path parameters through the ClearFuncs class interface. The exploitation occurs when the salt-master process processes user requests containing crafted paths that are not properly validated or sanitized before being used in file system operations. Attackers can leverage this weakness to access files outside of the intended directory structure, potentially leading to information disclosure, system compromise, or further attack vector exploitation. The issue is particularly concerning because it affects authenticated users, meaning that any individual with valid credentials can exploit this vulnerability.
The operational impact of CVE-2020-11652 extends beyond simple file access violations, as it creates a persistent threat vector for attackers who have gained legitimate authentication credentials. This vulnerability can be leveraged to extract sensitive configuration files, access system logs, or discover other valuable data that should remain protected within the salt-master environment. The attack surface is particularly dangerous in enterprise environments where SaltStack is used for configuration management, as it could enable attackers to access credentials, private keys, or other sensitive artifacts stored in the salt-master file system. Additionally, the vulnerability may facilitate privilege escalation attacks or serve as a stepping stone for more sophisticated exploitation techniques. The impact is amplified by the fact that this vulnerability affects core SaltStack functionality, making it a high-value target for threat actors.
Mitigation strategies for CVE-2020-11652 should prioritize immediate patching of affected SaltStack installations to versions 2019.2.4 or 3000.2 where the path sanitization issues have been addressed. Organizations should also implement network segmentation to limit access to salt-master processes and enforce strict authentication controls. The implementation of additional input validation measures and path normalization techniques can provide defense-in-depth protection against similar vulnerabilities. Security monitoring should be enhanced to detect suspicious path traversal attempts, and access controls should be reviewed to ensure that only necessary users have authentication credentials. From an ATT&CK perspective, this vulnerability aligns with techniques such as T1078 Valid Accounts and T1566 Phishing, as it exploits legitimate authentication mechanisms to gain unauthorized access to system resources, making detection more challenging and emphasizing the importance of principle of least privilege enforcement and comprehensive access logging.