CVE-2022-39238

Name of the Vulnerable Software and Affected Versions Arvados versions prior to 2.4.3

Description The issue affects Arvados, an open source platform for managing and analyzing biomedical big data. When using Portable Authentication Modules (PAM) for user authentication, if a user presents valid credentials but the account is disabled or otherwise not allowed to access the host, it would still be accepted for access to Arvados. Other authentication methods supported by Arvados, such as LDAP and OpenID Connect, are not affected by this flaw.

Recommendations For versions prior to 2.4.3, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider migrating to a different authentication method supported by Arvados, such as LDAP, until the update to version 2.4.3 can be applied.