CVE-2022-22967 – salt

Package

Manager: pip
Name: salt
Vulnerable Version: >=0 <3002.9 || >=3003.0 <3003.5 || >=3004.0 <3004.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00444 pctl0.62515

Details

Salt's PAM auth fails to reject locked accounts An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

Metadata

Created: 2022-06-25T07:21:19Z
Modified: 2024-10-26T22:51:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-fpxm-fprw-6hxj/GHSA-fpxm-fprw-6hxj.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-fpxm-fprw-6hxj
Finding: F006
Auto approve: 1