CVE-2022-22941

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*
cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:*

History

21 Dec 2023, 18:44

Type Values Removed Values Added
References () https://saltproject.io/security_announcements/salt-security-advisory-release/%2C - () https://saltproject.io/security_announcements/salt-security-advisory-release/%2C - Broken Link
References () https://github.com/saltstack/salt/releases%2C - () https://github.com/saltstack/salt/releases%2C - Broken Link
References (GENTOO) https://security.gentoo.org/glsa/202310-22 - (GENTOO) https://security.gentoo.org/glsa/202310-22 - Third Party Advisory

07 Nov 2023, 03:44

Type Values Removed Values Added
References
  • {'url': 'https://saltproject.io/security_announcements/salt-security-advisory-release/,', 'name': 'https://saltproject.io/security_announcements/salt-security-advisory-release/,', 'tags': ['Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://github.com/saltstack/salt/releases,', 'name': 'https://github.com/saltstack/salt/releases,', 'tags': ['Broken Link', 'Release Notes', 'Third Party Advisory'], 'refsource': 'MISC'}
  • () https://saltproject.io/security_announcements/salt-security-advisory-release/%2C -
  • () https://github.com/saltstack/salt/releases%2C -

31 Oct 2023, 14:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202310-22 -

Information

Published : 2022-03-29 17:15

Updated : 2024-02-28 19:09


NVD link : CVE-2022-22941

Mitre link : CVE-2022-22941

CVE.ORG link : CVE-2022-22941


JSON object : View

Products Affected

saltstack

  • salt
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource