CVE-2022-22967
Description
An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SaltStack Salt PAM authentication fails to reject locked accounts, allowing previously authorized users to continue running commands after account lock.
Vulnerability
Overview CVE-2022-22967 is an authentication bypass vulnerability in SaltStack Salt versions prior to 3002.9, 3003.5, and 3004.2 [1]. The issue lies in the PAM (Pluggable Authentication Modules) authentication mechanism, which fails to properly check the account lock status. When a user's account is locked (e.g., due to failed login attempts or administrative action), the PAM auth module still allows that user to execute Salt commands if they have an active session or authenticate via salt-api using PAM eauth [1][2].
Exploitation
An attacker who previously had valid credentials and whose account has been subsequently locked can continue to run Salt commands without re-authentication. This affects both local shell accounts with an existing session and remote salt-api users that authenticate through PAM eauth [1]. The attack requires that the user already had authorized access before the lock, and the account lock is not enforced by the PAM module. No additional privileges are needed beyond the existing session or API token [2].
Impact
Successful exploitation allows a locked-out user to maintain access to Salt's management capabilities, potentially executing arbitrary commands on managed minions, modifying configurations, or exfiltrating data. This undermines account lockout policies and can lead to unauthorized persistent access within the infrastructure [1][2].
Mitigation
The vulnerability is fixed in Salt versions 3002.9, 3003.5, and 3004.2 [1]. Users should upgrade to these or later versions. There is no known workaround; upgrading is the recommended action. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | < 3002.9 | 3002.9 |
saltPyPI | >= 3003.0, < 3003.5 | 3003.5 |
saltPyPI | >= 3004.0, < 3004.2 | 3004.2 |
Affected products
38- SaltStack/Saltdescription
- ghsa-coords37 versionspkg:pypi/saltpkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/salt&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/salt&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/salt&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP3pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP4pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/salt&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/salt&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Manager%20Server%20Module%204.3
< 3002.9+ 36 more
- (no CPE)range: < 3002.9
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150400.8.8.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150000.8.41.40.1
- (no CPE)range: < 3004-150000.8.41.40.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3000-65.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150400.8.8.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150400.8.8.1
- (no CPE)range: < 3004-150300.53.24.1
- (no CPE)range: < 3004-150400.8.8.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150000.8.41.40.1
- (no CPE)range: < 3004-150000.8.41.40.1
- (no CPE)range: < 3004-150100.71.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3000-65.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-150200.72.1
- (no CPE)range: < 3004-3.11.1
- (no CPE)range: < 3004-150000.3.11.1
- (no CPE)range: < 3004-150000.3.11.1
- (no CPE)range: < 3004-150000.3.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-fpxm-fprw-6hxjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22967ghsaADVISORY
- security.gentoo.org/glsa/202310-22ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/salt/PYSEC-2022-210.yamlghsaWEB
- repo.saltproject.ioghsaWEB
- saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/,ghsaWEB
- repo.saltproject.iomitre
- saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2Cmitre
News mentions
0No linked articles in our index yet.