Base Score

HIGH8.8

CVE-2022-22967

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

VectorNETWORK

Published Bysecurity@vmware.com

Published DateJun 23, 2022, 17:15

Affected Versions(3)

salt(PyPI)

Introduced0

Fixed3002.9

LimitN/A

salt(PyPI)

Introduced3003.0

Fixed3003.5

LimitN/A

salt(PyPI)

Introduced3004.0

Fixed3004.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
salt(PyPI)	0	3002.9	N/A
salt(PyPI)	3003.0	3003.5	N/A
salt(PyPI)	3004.0	3004.2	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH8.8

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH