CVE-2022-22967
First published: Wed Jun 22 2022(Updated: )
An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
Credit: security@vmware.com security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/salt | >=3004.0<3004.2 | 3004.2 |
| pip/salt | >=3003.0<3003.5 | 3003.5 |
| pip/salt | <3002.9 | 3002.9 |
| SaltStack Salt | <3002.9 | |
| SaltStack Salt | >=3003<3003.5 | |
| SaltStack Salt | >=3004<3004.2 | |
| SaltStack Salt | ||
| <3002.9 | ||
| >=3003<3003.5 | ||
| >=3004<3004.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-22967
- https://github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-210.yaml
- https://repo.saltproject.io/
- https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/,
- https://github.com/advisories/GHSA-fpxm-fprw-6hxj (Advisory)
- https://security.gentoo.org/glsa/202310-22
- https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2C
- https://saltproject.io/security-announcements/2022-06-21-advisory/
- https://repo.saltproject.io
Frequently Asked Questions
What is CVE-2022-22967?
CVE-2022-22967 is an issue discovered in SaltStack Salt that allows a previously authorized user with a locked account to still run Salt commands.
Which versions of SaltStack Salt are affected by CVE-2022-22967?
Versions before 3002.9, 3003.5, and 3004.2 of SaltStack Salt are affected by CVE-2022-22967.
What is the severity of CVE-2022-22967?
CVE-2022-22967 has a severity rating of 8.8, indicating a high severity.
How does CVE-2022-22967 affect users?
CVE-2022-22967 allows users with locked accounts to still run Salt commands, bypassing the account lock.
How can CVE-2022-22967 be fixed?
To fix CVE-2022-22967, users should upgrade to SaltStack Salt versions 3002.9, 3003.5, or 3004.2 or later.
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup
- collector/saltproject-advisory
- source/Salt Project
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fpxm-fprw-6hxj
- alias/CVE-2022-22967
- agent/references
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/saltstack
- canonical/saltstack salt
- version/saltstack salt/3003
- version/saltstack salt/3004
- package-manager/pip