CVE-2022-22941
First published: Tue Mar 29 2022(Updated: )
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
Credit: security@vmware.com security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SaltStack Salt | >=3002<3002.8 | |
| SaltStack Salt | >=3003<3003.4 | |
| SaltStack Salt | >=3004<3004.1 | |
| SaltStack Salt | <3004.1<3003.4<3002.8 | 3004.1 3003.4 3002.8 |
| pip/salt | <3002.8 | 3002.8 |
| pip/salt | >=3004<3004.1 | 3004.1 |
| pip/salt | >=3003<3003.4 | 3003.4 |
Remedy
Solution: The code has been modified to correctly treat an empty list of targets as completely invalid, and the user will correctly be given an error message. How to Mitigate: Upgrade the Salt Master-of-Masters to the latest version of salt software.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/saltstack/salt/releases,
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release/,
- https://github.com/saltstack/salt/releases%2C
- https://saltproject.io/security_announcements/salt-security-advisory-release/%2C
- https://security.gentoo.org/glsa/202310-22
- https://saltproject.io/security-announcements/2022-03-28-advisory/
- https://nvd.nist.gov/vuln/detail/CVE-2022-22941
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.8.rst#L31
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3003.4.rst#L32
- https://github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3004.1.rst#L30
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-174.yaml
- https://repo.saltproject.io
- https://github.com/advisories/GHSA-qcr3-hr2f-6557 (Advisory)
Frequently Asked Questions
What is CVE-2022-22941?
CVE-2022-22941 is a vulnerability found in SaltStack Salt before version 3002.8, 3003.4, and 3004.1 that allows an attacker to target minions connected to the Syndic when configured as a Master-of-Masters with a publisher_acl.
How severe is CVE-2022-22941?
CVE-2022-22941 has a severity level of 8.8 (high).
How can I fix CVE-2022-22941?
To fix CVE-2022-22941, upgrade SaltStack Salt to version 3002.8, 3003.4, or 3004.1.
Where can I find more information about CVE-2022-22941?
You can find more information about CVE-2022-22941 on the SaltStack Salt GitHub releases page, SaltStack repository, and SaltStack security advisory release page.
What is CWE-732?
CWE-732 is a specific weakness category that refers to incorrect interpretation of a security-sensitive feature or behavior.
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/description
- collector/saltproject-advisory
- source/Salt Project
- agent/software-canonical-lookup
- agent/severity
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qcr3-hr2f-6557
- alias/CVE-2022-22941
- agent/last-modified-date
- collector/github-advisory
- agent/references
- agent/softwarecombine
- agent/tags
- agent/trending
- vendor/saltstack
- canonical/saltstack salt
- version/saltstack salt/3002
- version/saltstack salt/3003
- version/saltstack salt/3004
- package-manager/pip