Published on: Not Yet Published
Last Modified on: 09/26/2022 04:35:00 PM UTC
Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules (PAM) for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host (such as an expired password), it would still be accepted for access to Arvados. Other authentication methods (LDAP, OpenID Connect) supported by Arvados are not affected by this flaw. This issue is patched in version 2.4.3. Workaround for this issue is to migrate to a different authentication method supported by Arvados, such as LDAP.
- CVE-2022-39238 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
- Affected Vendor/Software: arvados - arvados version < 2.4.3
CVSS3 Score: 8.8 - HIGH
|Improper Authentication in Arvados when using PAM as identity provider · Advisory · arvados/arvados · GitHub|| github.com |
Known Affected Configurations (CPE V2.3)
|@CVEreport||CVE-2022-39238 : Arvados is an open source platform for managing and analyzing biomedical big data. In versions pri… twitter.com/i/web/status/1…||2022-09-23 08:11:42|
|@Robo_Alerts||Potentially Critical CVE Detected! CVE-2022-39238 Arvados is an open source platform for managing and analyzing bio… twitter.com/i/web/status/1…||2022-09-23 08:56:01|