The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions.
http://www.securitytracker.com/id?1008675
http://www.securityfocus.com/bid/9404