Vulnerability Details : CVE-2022-24756
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, a failed PAM authentication will leak a small amount of memory. An attacker that is able to use the PAM Console (i.e. by knowing the shared secret or via the WebUI) can flood the Director with failing login attempts which will eventually lead to an out-of-memory condition in which the Director will not work anymore. Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 contain a Bugfix for this problem. Users who are unable to upgrade may disable PAM authentication as a workaround.
Products affected by CVE-2022-24756
- cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*
- cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*
- cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24756
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24756
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-24756
-
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-24756
-
https://github.com/bareos/bareos/pull/1119
Add PAM authorization by arogge · Pull Request #1119 · bareos/bareos · GitHubPatch;Third Party Advisory
-
https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j
Memory Leak in Bareos Director's PAM authentication may lead to Denial of Service · Advisory · bareos/bareos · GitHubThird Party Advisory
-
https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/
Improper Authorization and possible DoS when using PAM Auth vulnerability found in bareosExploit;Patch;Third Party Advisory
-
https://github.com/bareos/bareos/pull/1121
Add PAM authorization by arogge · Pull Request #1121 · bareos/bareos · GitHubPatch;Third Party Advisory
-
https://github.com/bareos/bareos/pull/1115
dird: Add PAM authorization by arogge · Pull Request #1115 · bareos/bareos · GitHubPatch;Third Party Advisory
Jump to