CVE-2022-24732: Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server
6.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32878%
CWE
Published
3/7/2022
Updated
2/3/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/foxcpp/maddy | go | < 0.5.4 | 0.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing PAM account management checks (pam_acct_mgmt) in the authentication flow. The patch explicitly adds this call to both implementations of run_pam_auth in cmd/maddy-pam-helper/pam.c and internal/auth/pam/pam.c. The absence of this function in the vulnerable versions allowed authentication without validating account/password expiration status, directly matching the CWE-324 and CWE-613 descriptions. The commit diff and PAM documentation confirm pam_acct_mgmt is required for these checks.