CVE-2022-39238 - OpenCVE

Vendors	Products
Arvados	Arvados

Link	Resource
https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv	Third Party Advisory

{"containers": {"cna": {"affected": [{"product": "arvados", "vendor": "arvados", "versions": [{"status": "affected", "version": "< 2.4.3"}]}], "descriptions": [{"lang": "en", "value": "Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T08:05:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv"}], "source": {"advisory": "GHSA-87jr-xwhg-cxjv", "discovery": "UNKNOWN"}, "title": "Improper Authentication in Arvados when using PAM as identity provider", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39238", "STATE": "PUBLIC", "TITLE": "Improper Authentication in Arvados when using PAM as identity provider"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "arvados", "version": {"version_data": [{"version_value": "< 2.4.3"}]}}]}, "vendor_name": "arvados"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv", "refsource": "CONFIRM", "url": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv"}]}, "source": {"advisory": "GHSA-87jr-xwhg-cxjv", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39238", "datePublished": "2022-09-23T08:05:08", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2022-09-23T08:05:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arvados:arvados:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "AC71C425-D344-4352-8C95-6B8AE7AAFB19", "versionEndExcluding": "2.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP."}, {"lang": "es", "value": "Arvados es una plataforma de c\u00f3digo abierto para administrar y analizar big data biom\u00e9dico. En versiones anteriores a 2.4.3, cuando eran usados M\u00f3dulos de Autenticaci\u00f3n Port\u00e1tiles (PAM) para la autenticaci\u00f3n de usuarios, si un usuario presentaba credenciales v\u00e1lidas pero la cuenta estaba deshabilitada o no ten\u00eda permiso para acceder al host (como una contrase\u00f1a caducada), segu\u00eda siendo aceptada para acceder a Arvados. Otros m\u00e9todos de autenticaci\u00f3n (LDAP, OpenID Connect) soportados por Arvados no est\u00e1n afectados por este fallo. Este problema est\u00e1 parcheado en versi\u00f3n 2.4.3. La mitigaci\u00f3n a este problema es migrar a un m\u00e9todo de autenticaci\u00f3n diferente soportado por Arvados, como LDAP."}], "id": "CVE-2022-39238", "lastModified": "2022-09-26T16:35:36.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-23T08:15:09.023", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

JSON object

JSON object

JSON object