Lucene search
GoogleOSV:GHSA-6CP7-G972-W9M9HistoryMar 07, 2022 - 4:59 p.m.
Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server
2022-03-0716:59:31
Google
osv.dev
15
0.001 Low
EPSS
Percentile
42.8%
Impact
Any configuration on any maddy version <0.5.4 using auth.pam is affected.
No password expiry or account expiry checking is done when authenticating using PAM.
Patches
Patch is available as part of the 0.5.4 release.
Workarounds
If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.
It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).
References
- https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c
- https://linux.die.net/man/3/pam_acct_mgmt
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/foxcpp/maddy
- Email [email protected]
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/foxcpp/maddy | lt | 0.5.4 |
Related
cvelist
cvelist
CVE-2022-24732 Maddy Mail Server does not implement account expiry
2022-03-09 19:40:08
github
github
cve
cve
CVE-2022-24732
2022-03-09 20:15:08
veracode
veracode
Authentication Bypass
2022-03-09 07:59:47
prion
prion
Design/Logic Flaw
2022-03-09 20:15:00
osv
osv
CVE-2022-24732
2022-03-09 20:15:08
nvd
nvd
CVE-2022-24732
2022-03-09 20:15:08