CVE-2022-22967
Summary
| CVE | CVE-2022-22967 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-23 17:15:00 UTC |
| Updated | 2023-12-21 18:44:00 UTC |
| Description | An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Salt Project Package Repo | MISC | repo.saltproject.io | |
| Salt Security Advisory Release June 21st, 2022 – Salt Project | MISC | saltproject.io | |
| Salt Security Advisory Release June 21st, 2022 – Salt Project | saltproject.io | ||
| Salt: Multiple Vulnerabilities (GLSA 202310-22) — Gentoo security | GENTOO | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710782 Gentoo Linux Salt Multiple Vulnerabilities (GLSA 202310-22)
- 752260 SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:2159-1)
- 752268 SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:2178-1)
- 752285 SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:2253-1)
- 752309 SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:2278-1)
- 752313 SUSE Enterprise Linux Security Update for salt (SUSE-SU-2022:2304-1)