QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24755

Published: Mar 15, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.

Vendor	Product	Versions
bareos	bareos	affected `>= 18.2, < 19.2.12` affected `>= 20.0.0, < 20.0.6` affected `>= 21.0.0, < 21.1.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/bareos/bareos/security/advisories/GHSA-4979-8ffj-4q26

x_refsource_CONFIRM

https://github.com/bareos/bareos/pull/1115

x_refsource_MISC

https://github.com/bareos/bareos/pull/1119

x_refsource_MISC

https://github.com/bareos/bareos/pull/1121

x_refsource_MISC

https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.