| CVE ID | CVSS | Vendor | Exploit | Patch | Trends | 
|---|---|---|---|---|---|
| CVE-2024-9312CVE description: Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. ----- original report ----- Cause authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned. authd only checks for uniqueness within its local cache, which may be inconsistent across multiple systems within the same domain ;
may be purged, due to being stored in /var/cache ;
automatically removes entries of users who have not logged into that specific system within the last 6 months.
 The current GenerateID method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),
repeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2³¹[ :
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188 Previous versions are affected by similar issues, though without the use of a cryptographic hash in GenerateID, making exploitation computationally-easier. Impact Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can register multiple users with colliding IDs, or
register a single user whose ID collides with a target user's, whether one managed by authd, or a system user whose well-known ID is in a range which overlaps authd's.
 In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user.  The attacker can bypass the uniqueness check in (at least) the following ways: engineer a situation where the system administrator purges /var/cache ;
target a system account whose UID is in authd's range ;
target an account which hasn't logged into a specific system in more than 6 months.
Note that this isn't limited to inactive accounts within the entire domain, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
user alice is known to log into 1.example.com ;
the attacker computes a preimage (a username which yields the same UID), let's call it bob ;
the attacker creates the account bob and logs into 2.example.com, succeeding if alice hasn't (recently) logged into that system ;
the attacker can now manipulate resources exposed on 2 as if they were alice; assuming /home is shared, they could manipulate ~alice/.ssh/authorized_keys, ~alice/.config, alice's shell's initialization file, etc.
Note: NFSv4's idmap mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an authd deployment)
at that point, gaining code execution as alice on 1.example.com is usually trivial.
 Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of GenerateID: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time. Remediation The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard: CERN uses cern_person_id: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called uid or uidNumber ;
etc.
 This is also supported by other commonplace identity providers, such as LDAP and Active Directory:https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber MS Entra presumably supports this as well. If that is not possible for some reason, architectural changes to authd would likely be required:
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem. Acknowledgements Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd. | CVSS 7.5 | Teether | - | Patched | |
| CVE-2024-7266Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2. | CVSS 4.3 | Nask | - | - | |
| CVE-2024-7265Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to change the password of any user, including root user, which could lead to privilege escalation. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2. | CVSS 8.8 | Nask | - | - | |
| CVE-2024-52359IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls. | CVSS 4.3 | - | - | ||
| CVE-2024-29296A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | CVSS 5.3 | Portainer | Exploit | - | |
| CVE-2024-28020A user/password reuse vulnerability exists in the FOXMAN-UN/UNEM  application and server management. If exploited a malicious user 
could use the passwords and login information to extend access on 
the server and other services. | CVSS 8 | Hitachienergy | - | Patched | |
| CVE-2024-27269IBM QRadar SIEM 7.5 could allow a privileged user to configure user management that would disclose unintended sensitive information across tenants.  IBM X-Force ID:  284575. | CVSS 6.8 | - | - | ||
| CVE-2023-51750ScaleFusion 10.5.2 does not properly limit users to the Edge application because file downloads can occur. NOTE: the vendor's position is "Not vulnerable if the default Windows device profile configuration is used which utilizes modern management with website allow-listing rules." | CVSS 4.6 | Scalefusion | - | Patched | |
| CVE-2023-3932An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. | CVSS 6.5 | Gitlab | Exploit | - | |
| CVE-2023-3914A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. | CVSS 5.3 | Gitlab | - | - | |
| CVE-2023-3907A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner | CVSS 8.8 | Gitlab | - | Patched | |
| CVE-2023-3115An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. | CVSS 4.3 | Gitlab | - | - | |
| CVE-2023-26689An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request. | CVSS 9.8 | Cs-cart | - | - | |
| CVE-2023-20253A vulnerability in the command line interface (cli) management interface of Cisco SD-WAN vManage could allow an authenticated, local attacker to bypass authorization and allow the attacker to roll back the configuration on vManage controllers and edge router device.
 This vulnerability is due to improper access control in the cli-management interface of an affected system. An attacker with low-privilege (read only) access to the cli could exploit this vulnerability by sending a request to roll back the configuration on for other controller and devices managed by an affected system. A successful exploit could allow the attacker to to roll back the configuration on for other controller and devices managed by an affected system. | CVSS 5.5 | Cisco | - | Patched | |
| CVE-2022-35503Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself. | CVSS 7.5 | - | - | ||
| CVE-2022-32260A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios. | CVSS 9.8 | Siemens | - | Patched | |
| CVE-2022-22518A bug in CmpUserMgr component can lead to only partially applied security policies. This can result in enabled, anonymous access to components part of the applied security policy. | CVSS 6.5 | Codesys | - | Patched | |
| CVE-2021-21553Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest. | CVSS 8.8 | Dell | - | Patched |