QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24756

Published: Mar 15, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, a failed PAM authentication will leak a small amount of memory. An attacker that is able to use the PAM Console (i.e. by knowing the shared secret or via the WebUI) can flood the Director with failing login attempts which will eventually lead to an out-of-memory condition in which the Director will not work anymore. Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 contain a Bugfix for this problem. Users who are unable to upgrade may disable PAM authentication as a workaround.

Vendor	Product	Versions
bareos	bareos	affected `>= 18.2, < 19.2.12` affected `>= 20.0.0, < 20.0.6` affected `>= 21.0.0, < 21.1.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/bareos/bareos/pull/1115

x_refsource_MISC

https://github.com/bareos/bareos/pull/1119

x_refsource_MISC

https://github.com/bareos/bareos/pull/1121

x_refsource_MISC

https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/

x_refsource_MISC

https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.