QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2022-22941

Back to search

CVE-2022-22941

Published: Mar 29, 2022

Modified: May 5, 2025

PUBLISHED

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.

VendorProductVersions

n/a

SaltStack Salt

affected
SaltStack Salt prior to 3002.8, 3003.4, 3004.1

References

GLSA-202310-22
vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now