Closed
Description
Query PR
Language
Python
CVE(s) ID list
- CVE-2022-0860 found in cobbler/cobbler
- fredhutch/motuz
CWE
CWE-285
Report
Using only a call to pam_authenticate to check the validity of a login can lead to authorization bypass vulnerabilities. A pam_authenticate only verifies the credentials of a user. It does not check if a user has an appropriate authorization to actually login. This means a user with a expired login or a password can still access the system.
This PR includes a qhelp describing the issue, a query which detects instances where a call to pam_acc_mgmt does not follow a call to pam_authenticate and it's corresponding tests.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response