{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9312", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2024-09-27T23:20:44.757Z", "datePublished": "2024-10-10T13:42:31.950Z", "dateUpdated": "2024-10-10T14:55:40.228Z"}, "containers": {"cna": {"affected": [{"packageName": "authd", "product": "Authd", "vendor": "Canonical Ltd.", "repo": "https://github.com/ubuntu/authd", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "0", "lessThan": "0.3.6", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges."}], "references": [{"tags": ["issue-tracking"], "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2"}, {"tags": ["issue-tracking"], "url": "https://www.cve.org/CVERecord?id=CVE-2024-9312"}], "credits": [{"lang": "en", "type": "finder", "value": "nicoo"}, {"lang": "en", "type": "analyst", "value": "Michael Gebetsroither"}, {"lang": "en", "type": "analyst", "value": "Jamie Bliss"}, {"lang": "en", "value": "Adrian Dombeck", "type": "remediation developer"}, {"lang": "en", "value": "Mark Esler", "type": "coordinator"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-286", "description": "CWE-286", "lang": "en", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-10-10T13:42:31.950Z"}}, "adp": [{"affected": [{"vendor": "ubuntu", "product": "authd", "cpes": ["cpe:2.3:a:ubuntu:authd:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.3.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-10T14:53:16.310907Z", "id": "CVE-2024-9312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T14:55:40.228Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-10T14:53:16.310907Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ubuntu:authd:*:*:*:*:*:*:*:*"], "vendor": "ubuntu", "product": "authd", "versions": [{"status": "affected", "version": "0", "lessThan": "0.3.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T14:55:35.358Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "nicoo"}, {"lang": "en", "type": "analyst", "value": "Michael Gebetsroither"}, {"lang": "en", "type": "analyst", "value": "Jamie Bliss"}, {"lang": "en", "type": "remediation developer", "value": "Adrian Dombeck"}, {"lang": "en", "type": "coordinator", "value": "Mark Esler"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"repo": "https://github.com/ubuntu/authd", "vendor": "Canonical Ltd.", "product": "Authd", "versions": [{"status": "affected", "version": "0", "lessThan": "0.3.6", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "authd"}], "references": [{"url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2", "tags": ["issue-tracking"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2024-9312", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-286", "description": "CWE-286"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-10-10T13:42:31.950Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9312", "state": "PUBLISHED", "dateUpdated": "2024-10-10T14:55:40.228Z", "dateReserved": "2024-09-27T23:20:44.757Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2024-10-10T13:42:31.950Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:authd:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2665677-2BEF-4230-AF87-5C0530CF7193", "versionEndExcluding": "0.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges."}, {"lang": "es", "value": "Authd, hasta la versi\u00f3n 0.3.6, no aleatorizaba lo suficiente los identificadores de usuario para evitar colisiones. Un atacante local que pudiera registrar nombres de usuario podr\u00eda falsificar el identificador de otro usuario y obtener sus privilegios."}], "id": "CVE-2024-9312", "lastModified": "2025-08-26T17:43:11.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-10T14:15:05.863", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2024-9312"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-286"}], "source": "security@ubuntu.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-335"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}