Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or…
GitHub_M·CWE-324·Published 2022-03-07
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms.
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms.
### Impact Any configuration on any maddy version <0.5.4 using auth.pam is affected. No password expiry or account expiry checking is done when authenticating using PAM. ### Patches Patch is available as part of the 0.5.4 release. ### Workarounds If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected. It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql). ### References * https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c * https://linux.die.net/man/3/pam_acct_mgmt ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/foxcpp/maddy * Email fox.cpp@disroot.org
### Impact Any configuration on any maddy version <0.5.4 using auth.pam is affected. No password expiry or account expiry checking is done when authenticating using PAM. ### Patches Patch is available as part of the 0.5.4 release. ### Workarounds If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected. It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql). ### References * https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c * https://linux.die.net/man/3/pam_acct_mgmt ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/foxcpp/maddy * Email fox.cpp@disroot.org
Maddy Mail Server es un servidor de correo electrónico de código abierto compatible con SMTP. Las versiones de maddy anteriores a 0.5.4, no implementan la comprobación de la caducidad de la contraseña o de la cuenta cuando es autenticado usando PAM. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse deberán eliminar manualmente las cuentas caducadas por medio de los mecanismos de filtrado existentes
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.5 | 8.0 | 6.4 | AV:N/AC:L/Au:S/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 8.8 | 2.8 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Primary | cve.org | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | NVD | 6.3 | 2.8 | 3.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | Secondary | GHSA | 6.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |