Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical authd
Weaknesses CWE-335
CPEs cpe:2.3:a:canonical:authd:*:*:*:*:*:*:*:*
Vendors & Products Canonical
Canonical authd

Thu, 10 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Ubuntu
Ubuntu authd
CPEs cpe:2.3:a:ubuntu:authd:*:*:*:*:*:*:*:*
Vendors & Products Ubuntu
Ubuntu authd
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 10 Oct 2024 14:00:00 +0000

Type Values Removed Values Added
Description Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
Weaknesses CWE-286
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2024-10-10T14:55:40.228Z

Reserved: 2024-09-27T23:20:44.757Z

Link: CVE-2024-9312

cve-icon Vulnrichment

Updated: 2024-10-10T14:55:35.358Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-10T14:15:05.863

Modified: 2025-08-26T17:43:11.117

Link: CVE-2024-9312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.