CVE-2022-22941

NameCVE-2022-22941
DescriptionAn issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs1008945

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)stretch2016.11.2+ds-1+deb9u4vulnerable
stretch (security)2016.11.2+ds-1+deb9u10vulnerable
buster, buster (security)2018.3.4+dfsg1-6+deb10u3vulnerable
bullseye (security), bullseye3002.6+dfsg1-4+deb11u1vulnerable
bookworm, sid3004.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsource(unstable)3004.1+dfsg-11008945

Notes

https://saltproject.io/security_announcements/salt-security-advisory-release/

Search for package or bug name: Reporting problems