CVE-2022-22941
Description
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SaltStack Salt before 3002.8, 3003.4, 3004.1 allows publisher_acl users to bypass permissions when using Syndic master, targeting any minion.
Vulnerability
An issue in SaltStack Salt before versions 3002.8, 3003.4, and 3004.1 affects deployments configured as a Master-of-Masters with a publisher_acl. When a user specified in the publisher_acl targets a minion connected to a Syndic, the Salt Master incorrectly interprets the absence of valid targets as a valid target set, allowing the user's authorized commands to be sent to any minion connected to the Syndic [1].
Exploitation
This vulnerability requires a Syndic master combined with publisher_acl configured on the Master-of-Masters. An attacker must be a user listed in the publisher_acl. The attacker targets any minion connected to the Syndic; the master then treats the empty target list as valid, publishing the command to all Syndic-connected minions [1]. No additional authentication or user interaction beyond the ACL is needed.
Impact
A successful exploitation allows the attacker to bypass the permissions enforced by publisher_acl, enabling them to execute their configured commands on any minion attached to the Syndic. This can lead to unauthorized command execution, privilege escalation, and compromise of minion systems [1][4].
Mitigation
The issue is fixed in Salt versions 3002.8, 3003.4, and 3004.1. Users should upgrade their Salt masters to these versions. No workaround is documented in the available references. The fix is tracked in GitHub issue #60413 and mentioned in the release notes [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 3002.8 | 3002.8 |
saltPyPI | >= 3003, < 3003.4 | 3003.4 |
saltPyPI | >= 3004, < 3004.1 | 3004.1 |
Affected products
35- SaltStack/Saltdescription
- ghsa-coords34 versionspkg:pypi/saltpkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/release-notes-susemanager&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/salt&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2015
< 3002.8+ 33 more
- (no CPE)range: < 3002.8
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 4.1.14.1-150200.3.77.1
- (no CPE)range: < 4.2.5.1-150300.3.34.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150000.8.41.32.1
- (no CPE)range: < 3002.2-150000.8.41.32.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 3000-62.1
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 3002.2-150300.53.16.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150000.8.41.32.1
- (no CPE)range: < 3002.2-150000.8.41.32.1
- (no CPE)range: < 3002.2-150100.63.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3000-62.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3002.2-150200.64.1
- (no CPE)range: < 3004-3.8.1
- (no CPE)range: < 3004-150000.3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-qcr3-hr2f-6557ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22941ghsaADVISORY
- security.gentoo.org/glsa/202310-22ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-174.yamlghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3002.8.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3003.4.rstghsaWEB
- github.com/saltstack/salt/blob/8f9405cf8e6f7d7776d5000841c886dec6d96250/doc/topics/releases/3004.1.rstghsaWEB
- repo.saltproject.ioghsaWEB
- repo.saltproject.iomitre
- saltproject.io/security_announcements/salt-security-advisory-release/%2Cmitre
News mentions
0No linked articles in our index yet.