CVE-2022-22941
- Source
- https://cve.org/CVERecord?id=CVE-2022-22941
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22941.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-22941
- Aliases
- Downstream
- Related
- Published
- 2022-03-29T17:15:15.327Z
- Modified
- 2026-04-02T07:47:03.118727Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisheracl, if a user configured in the publisheracl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisheracl configured on the Master-of-Masters, allowing users specified in the publisheracl to bypass permissions, publishing authorized commands to any configured minion.
- References
Affected packages
Git / github.com/saltstack/salt
Affected versions
Other
v3002
v3003
v3003_docs
v3003rc1
v3004
v3004_docs
v3004rc1
v3005
v3005rc1
v3005rc2
v3002.*
v3002.1
v3002.2
v3002.3
v3002.4
v3002.5
v3002.6
v3002.7
v3003.*
v3003.1
v3003.2
v3003.3
v3005.*
v3005.1
v3005.1-2
v3005.1-3
v3005.1-4
v3005.2
v3005.3
v3005.4
v3005.5
v3006.*
v3006.0
v3006.0rc1
v3006.0rc2
v3006.0rc3
v3006.1
v3006.10
v3006.11
v3006.12
v3006.13
v3006.14
v3006.15
v3006.16
v3006.17
v3006.18
v3006.19
v3006.2
v3006.20
v3006.21
v3006.22
v3006.23
v3006.3
v3006.3_docs
v3006.4
v3006.5
v3006.6
v3006.7
v3006.8
v3006.9
v3007.*
v3007.0
v3007.0rc1
v3007.1
v3007.10
v3007.11
v3007.12
v3007.13
v3007.2
v3007.3
v3007.4
v3007.5
v3007.6
v3007.7
v3007.8
v3007.9