[Pkg-salt-team] Bug#1013872: salt: CVE-2022-22967
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 26 12:55:24 BST 2022
Source: salt
Version: 3004.1+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for salt.
CVE-2022-22967[0]:
| An issue was discovered in SaltStack Salt in versions before 3002.9,
| 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
| a previously authorized user whose account is locked still run Salt
| commands when their account is locked. This affects both local shell
| accounts with an active session and salt-api users that authenticate
| via PAM eauth.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22967
[1] https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-salt-team
mailing list