CVE-2022-24755: 
Bareos vulnerability analysis and mitigation

CVE-2022-24755 affects Bareos Director versions 18.2 and later but prior to 21.1.0, 20.0.6, and 19.2.12. The vulnerability exists when Bareos Director is built and configured for PAM authentication, where it completely skips authorization checks. Bareos is an open-source software for backup, archiving, and recovery of data for operating systems (NVD, GitHub Advisory).

The vulnerability stems from an implementation flaw in the PAM authentication mechanism where the software only performs authentication (username and password matching) but fails to implement proper authorization checks. This means the system does not verify account status, such as checking for expired or disabled accounts. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL by NVD and 8.1 HIGH by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability allows users with expired accounts or expired passwords to successfully log into the system. This affects all installations that have PAM authentication enabled, potentially compromising the security of the backup system by allowing unauthorized access (GitHub Advisory).

The vulnerability has been fixed in Bareos Director versions 21.1.0, 20.0.6, and 19.2.12. Users are strongly advised to upgrade to these patched versions immediately. As a temporary workaround, administrators can configure their PAM setup to ensure authentication fails if the user is not authorized, though this may not be possible in all scenarios (GitHub Advisory).