Candidate: CVE-2022-24756
PublicDate: 2022-03-15 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24756
 https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j
 https://github.com/bareos/bareos/pull/1115
 https://github.com/bareos/bareos/pull/1119
 https://github.com/bareos/bareos/pull/1121
 https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/
Description:
 Bareos is open source software for backup, archiving, and recovery of data
 for operating systems. When Bareos Director >= 18.2 but prior to 21.1.0,
 20.0.6, and 19.2.12 is built and configured for PAM authentication, a
 failed PAM authentication will leak a small amount of memory. An attacker
 that is able to use the PAM Console (i.e. by knowing the shared secret or
 via the WebUI) can flood the Director with failing login attempts which
 will eventually lead to an out-of-memory condition in which the Director
 will not work anymore. Bareos Director versions 21.1.0, 20.0.6 and 19.2.12
 contain a Bugfix for this problem. Users who are unable to upgrade may
 disable PAM authentication as a workaround.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_bareos:
upstream_bareos: needs-triage
trusty_bareos: ignored (out of standard support)
xenial_bareos: ignored (out of standard support)