GHSA-6cp7-g972-w9m9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6cp7-g972-w9m9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-6cp7-g972-w9m9/GHSA-6cp7-g972-w9m9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6cp7-g972-w9m9
- Aliases
- Published
- 2022-03-07T16:59:31Z
- Modified
- 2023-11-08T04:08:34.145187Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server
- Details
-
Impact
Any configuration on any maddy version <0.5.4 using auth.pam is affected.
No password expiry or account expiry checking is done when authenticating using PAM.
Patches
Patch is available as part of the 0.5.4 release.
Workarounds
If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.
It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).
References
- https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c
- https://linux.die.net/man/3/pamacctmgmt
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/foxcpp/maddy * Email fox.cpp@disroot.org
- Database specific
{ "nvd_published_at": "2022-03-09T20:15:00Z", "cwe_ids": [ "CWE-324", "CWE-613" ], "github_reviewed_at": "2022-03-07T16:59:31Z", "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
Go / github.com/foxcpp/maddy
Package
- Name
- github.com/foxcpp/maddy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/foxcpp/maddy