{"id":"CVE-2022-22967","details":"An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.","aliases":["GHSA-fpxm-fprw-6hxj","PYSEC-2022-210"],"modified":"2026-04-10T04:44:36.453742Z","published":"2022-06-23T17:15:12.080Z","related":["SUSE-SU-2022:2154-1","SUSE-SU-2022:2159-1","SUSE-SU-2022:2178-1","SUSE-SU-2022:2178-2","SUSE-SU-2022:2253-1","SUSE-SU-2022:2278-1","SUSE-SU-2022:2304-1","SUSE-SU-2022:3172-1","SUSE-SU-2022:3177-1","openSUSE-SU-2024:12154-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-22"},{"type":"ADVISORY","url":"https://repo.saltproject.io/"},{"type":"ADVISORY","url":"https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/%2C"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saltstack/salt","events":[{"introduced":"0"},{"fixed":"e8fb2b423948248d5c90cbdfa8a870d306b92d1d"},{"introduced":"6fa95b058b9d999c23dff5eb2ba4127aa2dc8b71"},{"fixed":"3fa1e4c4d972d362b14eb767231f29a7a702d2b8"},{"introduced":"fec6e71228f67d1d7bbf1abe32f98acb392d3697"},{"fixed":"604c955718aa3622236e0c131731a7bb54beb825"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3002.9"},{"introduced":"3003"},{"fixed":"3003.5"},{"introduced":"3004"},{"fixed":"3004.2"}]}}],"versions":["v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.10.4","v0.10.5","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16","v0.17","v0.6.0","v0.7.0","v0.8.0","v0.8.7","v0.8.9","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.9","v2014.1","v2014.7","v2015.2","v2015.5","v2015.8","v2016.11","v2016.3","v2016.9","v2017.5","v2017.7","v2018.11","v2018.2","v2018.3","v2019.2","v2019.2.1","v2019.2.1rc1","v3000","v3000.0rc1","v3000.0rc2","v3000.1","v3000_docs","v3001","v3001.1","v3001rc1","v3002","v3002.2","v3002.3","v3002.4","v3002.5","v3002.6","v3002.7","v3002.8","v3002rc1","v3003.1","v3003.2","v3003.3","v3003.4","v3003_docs","v3003rc1","v3004","v3004.1","v3004rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22967.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}