Miggo Logo
Miggo Vulnerability Database
CVE-2022-22967

CVE-2022-22967: Salt's PAM auth fails to reject locked accounts

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-22967
GHSA ID
GHSA-fpxm-fprw-6hxj
EPSS Score
0.56019%
CWE
CWE-863
Published
6/25/2022
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
saltpip< 3002.93002.9
saltpip>= 3003.0, < 3003.53003.5
saltpip>= 3004.0, < 3004.23004.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization checks in PAM authentication. Salt's PAM eAuth implementation would typically involve a function like pam.authenticate to handle PAM transactions. In PAM, account status checks (like locked/expired) are separate from credential validation (pam_authenticate). The vulnerability suggests this function either omitted or mishandled the pam_acct_mgmt step that checks account validity, allowing users with valid credentials but locked accounts to remain authenticated. This aligns with CWE-863 (Incorrect Authorization) and matches the described behavior where authorization isn't revoked upon account locking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in S*ltSt**k S*lt in v*rsions ***or* ****.*, ****.*, ****.*. P*M *ut* **ils to r*j**t lo*k** ***ounts, w*i** *llows * pr*viously *ut*oriz** us*r w*os* ***ount is lo*k** still run S*lt *omm*n*s w**n t**ir ***ount is lo*k**. T*i

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion ****ks in P*M *ut**nti**tion. S*lt's P*M **ut* impl*m*nt*tion woul* typi**lly involv* * *un*tion lik* p*m.*ut**nti**t* to **n*l* P*M tr*ns**tions. In P*M, ***ount st*tus ****ks (lik* lo*k**/*xpir**)