CVE-2022-22936

NameCVE-2022-22936
DescriptionAn issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be re-played. A sufficient craft attacker could gain root access on minion under certain scenarios.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1008945

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
salt (PTS)jessie, jessie (lts)2014.1.13+ds-3+deb8u2vulnerable
stretch (security), stretch (lts), stretch2016.11.2+ds-1+deb9u10vulnerable
buster (security), buster, buster (lts)2018.3.4+dfsg1-6+deb10u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
saltsourcejessie(unfixed)end-of-life
saltsourcestretch(unfixed)end-of-life
saltsourcebuster(unfixed)end-of-life
saltsource(unstable)3004.1+dfsg-11008945

Notes

[buster] - salt <end-of-life> (EOL in buster LTS)
https://saltproject.io/security_announcements/salt-security-advisory-release/

Search for package or bug name: Reporting problems