[Pkg-salt-team] Bug#1013872: salt: CVE-2022-22967

Salvatore Bonaccorso carnil at debian.org
Sun Jun 26 12:55:24 BST 2022


Source: salt
Version: 3004.1+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for salt.

CVE-2022-22967[0]:
| An issue was discovered in SaltStack Salt in versions before 3002.9,
| 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows
| a previously authorized user whose account is locked still run Salt
| commands when their account is locked. This affects both local shell
| accounts with an active session and salt-api users that authenticate
| via PAM eauth.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-22967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22967
[1] https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the pkg-salt-team mailing list