How severe is CVE-2022-24755?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-24755?

This is classified as CWE-863, which is a common weakness in software security.

CVE-2022-24755 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.

Related Vulnerabilities

CVE-2001-1155

CRITICAL

CVSS:9.8(Critical)

TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass i...

CWE-8632001

CVE-2008-7109

CRITICAL

CVSS:9.8(Critical)

The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 allows remote attackers to bypass authorization and upload arbitrary files to the client system via a modified program that does no...

CWE-8632008

CVE-2010-1435

CRITICAL

CVSS:9.8(Critical)

Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the dat...

CWE-8632010

CVE-2012-6094

CRITICAL

CVSS:9.8(Critical)

cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system

CWE-8632012

CVE-2013-2198

CRITICAL

CVSS:9.8(Critical)

The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.

CWE-8632013

CVE-2016-20001

CRITICAL

CVSS:9.8(Critical)

The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CWE-8632016