CVE-2022-24976 — Improper Authentication in Atheme

CWE-287 — Improper Authentication4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 68.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atheme Debian Atheme-services

Timeline

PublishedFeb 14

Latest updateFeb 15

Description

Atheme IRC Services before 7.2.12, when used in conjunction with InspIRCd, allows authentication bypass by ending an IRC handshake at a certain point during a challenge-response login sequence.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶debiandebian/atheme-services< atheme-services 7.2.12-1 (bookworm)

▶NVDatheme/atheme7.2.0 — 7.2.12

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3fv4-6wvg-x83x: Atheme IRC Services before 7↗2022-02-15

▶

OSV

CVE-2022-24976: Atheme IRC Services before 7↗2022-02-14

▶

📋Vendor Advisories

Debian

CVE-2022-24976: atheme-services - Atheme IRC Services before 7.2.12, when used in conjunction with InspIRCd, allow...↗2022

▶