Vulnerability CVE-2022-22935

Vulnerability Name:

CVE-2022-22935 (CCN-222861)

Assigned:

2022-03-28

Published:

2022-03-28

Updated:

2022-04-06

Summary:

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersonating a master.

CVSS v3 Severity:

3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

6.1 Medium (CCN CVSS v2 Vector: AV:A/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-287

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-22935

Source: XF
Type: UNKNOWN
saltstack-cve202222935-dos(222861)

Source: MISC
Type: Broken Link, Release Notes, Third Party Advisory
https://github.com/saltstack/salt/releases,

Source: MISC
Type: Product
https://repo.saltproject.io/

Source: CCN
Type: Salt Web site
Salt Security Advisory Release

Source: MISC
Type: Vendor Advisory
https://saltproject.io/security_announcements/salt-security-advisory-release/,

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2022-22935

Vulnerable Configuration:

Configuration 1:

cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3002 and < 3002.8)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3003 and < 3003.4)

OR cpe:/a:saltstack:salt:*:*:*:*:*:*:*:* (Version >= 3004 and < 3004.1)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8092	P	salt-transactional-update-3005.1-150500.2.13 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7784	P	python3-salt-3005.1-150500.2.13 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3522	P	hardlink-1.0-6.38 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3537	P	kdump-0.8.16-9.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3181	P	libgssglue1-0.4-3.76 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94811	P	python3-salt-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95152	P	salt-api-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95167	P	salt-transactional-update-3004-150400.6.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:118669	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:102229	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:99195	P	(Important)	2022-03-30
oval:org.opensuse.security:def:119355	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:1653	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:100392	P	(Important)	2022-03-30
oval:org.opensuse.security:def:118859	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:102262	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:99465	P	(Important)	2022-03-30
oval:org.opensuse.security:def:119540	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:1701	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:100725	P	(Important)	2022-03-30
oval:org.opensuse.security:def:119046	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:42167	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:102312	P	Security update for SUSE Manager 4.2.5.1 Release Notes (Important)	2022-03-30
oval:org.opensuse.security:def:99727	P	(Important)	2022-03-30
oval:org.opensuse.security:def:101576	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:119166	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:42257	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:845	P	Security update for salt (Important)	2022-03-30
oval:org.opensuse.security:def:100058	P	(Important)	2022-03-30

BACK