6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24732

GHSA ID

GHSA-6cp7-g972-w9m9

EPSS Score

0.32878%

CWE

CWE-324

Published

3/7/2022

Updated

2/3/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24732

CVE-2022-24732:
Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server

Impact

Any configuration on any maddy version <0.5.4 using auth.pam is affected.

No password expiry or account expiry checking is done when authenticating using PAM.

Patches

Patch is available as part of the 0.5.4 release.

Workarounds

If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.

It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).

References

https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c
https://linux.die.net/man/3/pam_acct_mgmt

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/foxcpp/maddy
Email fox.cpp@disroot.org

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24732

GHSA ID

GHSA-6cp7-g972-w9m9

EPSS Score

0.32878%

CWE

CWE-324

Published

3/7/2022

Updated

2/3/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/foxcpp/maddy	go	< 0.5.4	0.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing PAM account management checks (pam_acct_mgmt) in the authentication flow. The patch explicitly adds this call to both implementations of run_pam_auth in cmd/maddy-pam-helper/pam.c and internal/auth/pam/pam.c. The absence of this function in the vulnerable versions allowed authentication without validating account/password expiration status, directly matching the CWE-324 and CWE-613 descriptions. The commit diff and PAM documentation confirm pam_acct_mgmt is required for these checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny *on*i*ur*tion on *ny m***y v*rsion <*.*.* usin* *ut*.p*m is *****t**. No p*sswor* *xpiry or ***ount *xpiry ****kin* is *on* w**n *ut**nti**tin* usin* P*M. ### P*t***s P*t** is *v*il**l* *s p*rt o* t** *.*.* r*l**s*. ### Work*roun*

Reasoning

T** vuln*r**ility st*ms *rom missin* P*M ***ount m*n***m*nt ****ks (p*m_***t_m*mt) in t** *ut**nti**tion *low. T** p*t** *xpli*itly ***s t*is **ll to *ot* impl*m*nt*tions o* run_p*m_*ut* in *m*/m***y-p*m-**lp*r/p*m.* *n* int*rn*l/*ut*/p*m/p*m.*. T**

6.3

Basic Information

Concerned about an active attack path?

CVE-2022-24732: Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server

Impact

Patches

Workarounds

References

For more information

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24732:
Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server

Vulnerability Intelligence
Miggo AI