GHSA-gmhj-xjfh-cf6m: 
vulnerability analysis and mitigation

A high-severity authorization bypass vulnerability was discovered in Caddy-SSH version 0.0.1, identified as GHSA-gmhj-xjfh-cf6m. The vulnerability stems from the incorrect usage of the PAM library, specifically the absence of a pam_acct_mgmt call after pam_authenticate during the login process. This vulnerability was published on September 23, 2022, and affects the github.com/mohammed90/caddy-ssh Go module (GitHub Advisory).

The vulnerability occurs due to the implementation only using pam.Authenticate for user login without subsequent account validation. The CVSS v3.1 score is 7.7 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N. The vulnerability is associated with CWE-285 (Improper Authorization) and CWE-863 (Incorrect Authorization). The technical root cause was identified in the PAM transaction where only a call to pam.Authenticate was implemented, allowing users with expired credentials to successfully log in (GitHub Advisory).

The vulnerability has significant security implications, particularly affecting confidentiality and integrity. It enables attackers to access restricted parts of the system and gain access to confidential files including passwords, login credentials, and other secrets. The vulnerability has a high impact on confidentiality and a medium to high impact on integrity, though it does not affect system availability (GitHub Advisory).

The vulnerability can be fixed by implementing a call to pam.AcctMgmt after a successful call to pam.Authenticate. A patch has been developed that adds the necessary account validation check to the authentication flow (GitHub Commit).