CVE-2022-39238
low-risk
Published 2022-09-23
Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP.
Do I need to act?
-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Arvados
Affected Vendors
References (2)
Third Party Advisory
https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv
Third Party Advisory
https://github.com/arvados/arvados/security/advisories/GHSA-87jr-xwhg-cxjv
20
/ 100
low-risk
Severity
14/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal