CVE-2022-22941

CWE-732 — Incorrect Permission Assignment CWE-284 — Improper Access Control6 documents5 sources

Severity

8.8HIGH

EPSS

0.0%

top 95.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saltstack Salt

Timeline

PublishedMar 29

Latest updateMar 30

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Mas…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDsaltstack/salt3002 — 3002.8+2

▶CVEListV5saltstack_saltSaltStack Salt prior to 3002.8, 3003.4, 3004.1

▶PyPIsalt3003 — 3003.4+2

🔴Vulnerability Details

GHSA

SaltStack Salt Permissions Bypass↗2022-03-30

▶

OSV

SaltStack Salt Permissions Bypass↗2022-03-30

▶

CVEList

CVE-2022-22941: An issue was discovered in SaltStack Salt in versions before 3002↗2022-03-29

▶

OSV

CVE-2022-22941: An issue was discovered in SaltStack Salt in versions before 3002↗2022-03-29

▶

📋Vendor Advisories

CISA

Citrix ShareFile Improper Access Control Vulnerability↗2022-03-25

▶