CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5689 – Improper Permission Management in SSH Session Handling
https://notcve.org/view.php?id=CVE-2025-5689
16 Jun 2025 — A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session. • https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9312
https://notcve.org/view.php?id=CVE-2024-9312
10 Oct 2024 — Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. • https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2 • CWE-286: Incorrect User Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9313
https://notcve.org/view.php?id=CVE-2024-9313
03 Oct 2024 — Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. El módulo PAM de Authd anterior a la versión 0.3.5 puede permitir que los usuarios administrados por el broker se hagan pasar por cualquier otro usuario administrado por el mismo broker y realicen cualquier operación PAM con él, incluida la autenticación como ellos. • https://github.com/ubuntu/authd/security/advisories/GHSA-x5q3-c8rm-w787 •