An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02Y3A3LWc5NzItdzltOc0wjA

Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server


Any configuration on any maddy version <0.5.4 using auth.pam is affected.

No password expiry or account expiry checking is done when authenticating using PAM.


Patch is available as part of the 0.5.4 release.


If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.

It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).


For more information

If you have any questions or comments about this advisory:

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-6cp7-g972-w9m9, CVE-2022-24732
References: Repository:
Blast Radius: 1.9

Affected Packages
Dependent packages: 3
Dependent repositories: 2
Affected Version Ranges: < 0.5.4
Fixed in: 0.5.4
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3
All unaffected versions: 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1