CVE-2022-24755

Name of the Vulnerable Software and Affected Versions Bareos Director versions 18.2 through 21.1.0, excluding versions 21.1.0, 20.0.6, and 19.2.12 Bareos Director versions prior to 19.2.12, excluding version 19.2.12 Bareos Director versions prior to 20.0.6, excluding version 20.0.6 Bareos Director versions prior to 21.1.0, excluding version 21.1.0

However, the above can be simplified to: Bareos Director versions 18.2 through 20.0.5 Bareos Director versions 18.2 through 19.2.11

Description The issue affects Bareos Director when built and configured for PAM authentication, allowing expired accounts and accounts with expired passwords to login due to skipped authorization checks. This problem affects users with PAM enabled, as only plain authentication is performed, checking if the username and password match, without verifying if the account is expired or disabled.

Recommendations For Bareos Director versions 18.2 through 20.0.5, update to version 20.0.6 or later. For Bareos Director versions 18.2 through 19.2.11, update to version 19.2.12 or later. For Bareos Director versions prior to 21.1.0, update to version 21.1.0 or later. As a temporary workaround, ensure that authentication fails if the user is not authorized.