Unrated severityNVD Advisory· Published Jul 10, 2020· Updated Aug 4, 2024

Authentication bypass in Bareos

CVE-2020-4042

Description

Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.

Affected products

Bareftp/Bareosv5
Range: < 19.2.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.bareos.org/view.phpmitrex_refsource_MISC
github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000