Miggo Logo

CVE-2022-24732: Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.32878%
Published
3/7/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/foxcpp/maddygo< 0.5.40.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing PAM account management checks (pam_acct_mgmt) in the authentication flow. The patch explicitly adds this call to both implementations of run_pam_auth in cmd/maddy-pam-helper/pam.c and internal/auth/pam/pam.c. The absence of this function in the vulnerable versions allowed authentication without validating account/password expiration status, directly matching the CWE-324 and CWE-613 descriptions. The commit diff and PAM documentation confirm pam_acct_mgmt is required for these checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny *on*i*ur*tion on *ny m***y v*rsion <*.*.* usin* *ut*.p*m is *****t**. No p*sswor* *xpiry or ***ount *xpiry ****kin* is *on* w**n *ut**nti**tin* usin* P*M. ### P*t***s P*t** is *v*il**l* *s p*rt o* t** *.*.* r*l**s*. ### Work*roun*

Reasoning

T** vuln*r**ility st*ms *rom missin* P*M ***ount m*n***m*nt ****ks (p*m_***t_m*mt) in t** *ut**nti**tion *low. T** p*t** *xpli*itly ***s t*is **ll to *ot* impl*m*nt*tions o* run_p*m_*ut* in *m*/m***y-p*m-**lp*r/p*m.* *n* int*rn*l/*ut*/p*m/p*m.*. T**