CVE-2020-4042

Bareos before version 19.2.8 and earlier allows a malicious client to
communicate with the director without knowledge of the shared secret if the
director allows client initiated connection and connects to the client
itself. The malicious client can replay the Bareos director’s cram-md5
challenge to the director itself leading to the director responding to the
replayed challenge. The response obtained is then a valid reply to the
directors original challenge. This is fixed in version 19.2.8.