Improper Authorization in fredhutch/motuz


Reported on

Mar 7th 2022


When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.


Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to pam_authenticateit is necessary to call pam_acct_mgmt.


We are processing your report and will contact the fredhutch/motuz team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
ysf submitted a
a year ago
We have contacted a member of the fredhutch/motuz team and are waiting to hear back a year ago
fredhutch/motuz maintainer validated this vulnerability a year ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
fredhutch/motuz maintainer marked this as fixed in 0.2.0 with commit b5a95c a year ago
ysf has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation