Salt security advisory release - 2022-JUNE-21

The Salt Project released a security update to Salt to address 1 vulnerability with severity rating High. If you are using PAM authentication from within Salt, we strongly recommend prioritizing this update. This is a security advisory release. This release includes fixes to the vulnerability and bug fixes from the previous CVE release.

The following CVE was fixed as part of this release:

CVE Details


  • Description: PAM auth fails to reject locked accounts.
  • Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
  • Solution: PAM account status is now correctly checked, rejecting locked accounts.

How to Mitigate

  • Upgrade to 3002.9, 3003.5, or 3004.2.
  • Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality.
  • Or, change to a different eauth module.
  • Attribution:
  • Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


  • Updated packages for the following versions can be found at for these supported versions of Salt.
    • 3004.2
    • 3003.5
    • 3002.9