CVE-2022-22941: 
Python vulnerability analysis and mitigation

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters with a publisheracl, the vulnerability allows configured users to bypass permissions and publish authorized commands to any minion connected to the syndic. This occurs because the Salt Master incorrectly interprets no valid targets as valid targets when a user configured in the publisheracl targets any minion connected to the Syndic (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability specifically manifests when using a syndic master combined with publisher_acl configured on the Master-of-Masters (NVD).

When exploited, this vulnerability allows users specified in the publisheracl to bypass intended permission restrictions. The impact enables these users to publish authorized commands to any configured minion connected to the syndic, effectively circumventing the access control mechanisms that should be enforced by the publisheracl (NVD).

The vulnerability has been fixed in SaltStack Salt versions 3002.8, 3003.4, and 3004.1. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Gentoo Advisory).