Authd
CVE-2024-9312
MEDIUM
Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
AnalysisAI
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-286. Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. Affected products include: Canonical Authd. Version information: version 0.3.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same b
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes
authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege esca
authd sets weak permissions for /etc/ident.key, which allows local users to obtain the key by leveraging a race conditio
Same weakness CWE-286 – Incorrect User Management
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today