CVE-2022-39238

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39238
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39238.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-39238
Aliases
  • GHSA-87jr-xwhg-cxjv
Published
2022-09-23T08:05:08Z
Modified
2025-11-28T04:53:43.453646Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Improper Authentication in Arvados when using PAM as identity provider
Details

Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP.

Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39238.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/arvados/arvados

Affected ranges

Type
GIT
Repo
https://github.com/arvados/arvados
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1adc1e6b8ae357992d39c6b6bc1bc16192a94d9c

Affected versions

1.*

1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.3.0

2.*

2.0.0
2.1.0
2.4.0
2.4.1
2.4.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39238.json"