GHSA-qcr3-hr2f-6557

Source

https://github.com/advisories/GHSA-qcr3-hr2f-6557

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-qcr3-hr2f-6557/GHSA-qcr3-hr2f-6557.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qcr3-hr2f-6557

Aliases

Published

2022-03-30T00:00:20Z

Modified

2024-10-22T15:11:34.787109Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SaltStack Salt Permissions Bypass

Details

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisheracl, if a user configured in the publisheracl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisheracl configured on the Master-of-Masters, allowing users specified in the publisheracl to bypass permissions, publishing authorized commands to any configured minion.

References

Affected packages

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3002.8

Affected versions

0.*

0.8.7

0.8.9

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.9.1

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.11.0

0.11.1

0.12.0

0.12.1

0.13.0

0.13.1

0.13.2

0.13.3

0.14.0

0.14.1

0.15.0

0.15.1

0.15.2

0.15.3

0.15.90

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.17.0rc1

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

2014.*

2014.1.0rc1

2014.1.0rc2

2014.1.0rc3

2014.1.0

2014.1.1

2014.1.2

2014.1.3

2014.1.4

2014.1.5

2014.1.6

2014.1.7

2014.1.8

2014.1.9

2014.1.10

2014.1.11

2014.1.12

2014.1.13

2014.7.0rc1

2014.7.0rc2

2014.7.0rc3

2014.7.0rc4

2014.7.0rc5

2014.7.0rc6

2014.7.0rc7

2014.7.0

2014.7.1

2014.7.2

2014.7.3

2014.7.4

2014.7.5

2014.7.6

2014.7.7

2015.*

2015.2.0rc1

2015.2.0rc2

2015.5.0

2015.5.1

2015.5.2

2015.5.3

2015.5.4

2015.5.5

2015.5.6

2015.5.7

2015.5.8

2015.5.9

2015.5.10

2015.5.11

2015.8.0rc1

2015.8.0rc2

2015.8.0rc3

2015.8.0rc4

2015.8.0rc5

2015.8.0

2015.8.1

2015.8.2

2015.8.3

2015.8.4

2015.8.5

2015.8.7

2015.8.8

2015.8.8.2

2015.8.9

2015.8.10

2015.8.11

2015.8.12

2015.8.13

2016.*

2016.3.0rc2

2016.3.0rc3

2016.3.0

2016.3.1

2016.3.2

2016.3.3

2016.3.4

2016.3.5

2016.3.6

2016.3.7

2016.3.8

2016.11.0rc1

2016.11.0rc2

2016.11.0

2016.11.1

2016.11.2

2016.11.3

2016.11.4

2016.11.5

2016.11.6

2016.11.7

2016.11.8

2016.11.9

2016.11.10

2017.*

2017.7.0rc1

2017.7.0

2017.7.1

2017.7.2

2017.7.3

2017.7.4

2017.7.5

2017.7.6

2017.7.7

2017.7.8

2018.*

2018.3.0rc1

2018.3.0

2018.3.1

2018.3.2

2018.3.3

2018.3.4

2018.3.5

2019.*

2019.2.0rc1

2019.2.0rc2

2019.2.0

2019.2.1

2019.2.2

2019.2.3

2019.2.4

2019.2.5

2019.2.6

2019.2.7

2019.2.8

3000.*

3000.0.0rc1

3000.0.0rc2

3000.1

3000.2

3000.3

3000.4

3000.5

3000.6

3000.7

3000.8

3000.9

Other

3000

3001rc1

3001

3002rc1

3002

3001.*

3001.1

3001.2

3001.3

3001.4

3001.5

3001.6

3001.7

3001.8

3002.*

3002.1

3002.2

3002.3

3002.4

3002.5

3002.6

3002.7

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3003

Fixed

3003.4

Affected versions

Other

3003

3003.*

3003.1

3003.2

3003.3

PyPI / salt

Package

Name: salt; View open source insights on deps.dev
Purl: pkg:pypi/salt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3004

Fixed

3004.1

Affected versions

Other

3004