CWE-286
Allowed-with-ReviewIncorrect User Management
Abstraction: Class · Status: Incomplete
The product does not properly manage a user within its environment.
58 vulnerabilities reference this CWE, most recent first.
CVE-2022-45857 (GCVE-0-2022-45857)
Vulnerability from cvelistv5 – Published: 2023-01-05 07:37 – Updated: 2024-10-22 20:50- CWE-286 - Improper access control
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiManager |
Affected:
7.0.0 , ≤ 7.0.1
(semver)
Affected: 6.4.0 , ≤ 6.4.7 (semver) Affected: 6.2.0 , ≤ 6.2.8 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-371",
"tags": [
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-22-371"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45857",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T20:18:45.615630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T20:50:54.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FortiManager",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.0.1",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.7",
"status": "affected",
"version": "6.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.8",
"status": "affected",
"version": "6.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incorrect user management vulnerability [CWE-286] in the FortiManager version 6.4.6 and below VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin account is deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:H/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "Improper access control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T07:37:57.731Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-371",
"url": "https://fortiguard.com/psirt/FG-IR-22-371"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiManager version 7.0.2 or above\r\nPlease upgrade to FortiManager version 6.4.8 or above\r\nPlease upgrade to FortiManager version 6.2.9 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2022-45857",
"datePublished": "2023-01-05T07:37:57.731Z",
"dateReserved": "2022-11-23T14:57:05.612Z",
"dateUpdated": "2024-10-22T20:50:54.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32260 (GCVE-0-2022-32260)
Vulnerability from cvelistv5 – Published: 2022-06-14 09:22 – Updated: 2024-08-03 07:39- CWE-286 - Incorrect User Management
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
| https://cert-portal.siemens.com/productcert/html/… |
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SINEMA Remote Connect Server |
Affected:
0 , < V3.2 SP1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-32260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T18:05:15.415473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T18:05:33.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SINEMA Remote Connect Server",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2 SP1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.2 SP1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286: Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T12:04:18.126Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-32260",
"datePublished": "2022-06-14T09:22:14.000Z",
"dateReserved": "2022-06-02T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:39:50.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26262 (GCVE-0-2021-26262)
Vulnerability from cvelistv5 – Published: 2021-11-19 18:35 – Updated: 2026-04-02 13:44- CWE-286 - Incorrect User Management
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:20.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MRI 1.5T",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "5.8.1",
"status": "affected",
"version": "5.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MRI 3T",
"vendor": "Philips",
"versions": [
{
"lessThanOrEqual": "5.8.1",
"status": "affected",
"version": "5.3",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:philips:mri_1.5t:*:*:*:*:*:*:*:*",
"versionEndIncluding": "5.8.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:philips:mri_3t:*:*:*:*:*:*:*:*",
"versionEndIncluding": "5.8.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePhilips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\u003c/p\u003e"
}
],
"value": "Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286 Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:44:46.768Z",
"orgId": "20705f08-db8b-4497-8f94-7eea62317651",
"shortName": "Philips"
},
"references": [
{
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
},
{
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
}
],
"source": {
"advisory": "ICSMA-21-313-01",
"discovery": "EXTERNAL"
},
"title": "Philips MRI 1.5T and 3T Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nPhilips released a software upgrade version 5.8.2 to remediate these vulnerabilities and can be\nreferenced by FCO78100619.\n\n As an interim mitigation to these vulnerabilities, Philips recommends the following:\u003c/p\u003e\u003cp\u003eUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter https://incenter.medical.philips.com.\u003c/p\u003e\u003cp\u003eUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website \nhttp://philips.com/productsecurity\n\nor by calling 1-800-722-9377. \u003c/p\u003e\u003cp\u003eFor more information regarding these vulnerabilities, see the Philips product security advisory website \nhttp://philips.com/productsecurity.\u003c/p\u003e\u003cp\u003eUsers can also visit the Philips product security website for the latest security information for Philips products.\u003c/p\u003e"
}
],
"value": "Philips released a software upgrade version 5.8.2 to remediate these vulnerabilities and can be\nreferenced by FCO78100619.\n\n As an interim mitigation to these vulnerabilities, Philips recommends the following:\n\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter https://incenter.medical.philips.com.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website \nhttp://philips.com/productsecurity\n\nor by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website \nhttp://philips.com/productsecurity.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-26262",
"STATE": "PUBLIC",
"TITLE": "Philips MRI 1.5T and 3T Improper Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MRI 1.5T",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "All",
"version_value": "5.x.x"
}
]
}
},
{
"product_name": "MRI 3T",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.x.x"
}
]
}
}
]
},
"vendor_name": "Philips"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Philips MRI 1.5T and MRI 3T Version 5.x.x does not restrict or incorrectly restricts access to a resource from an unauthorized actor."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
},
{
"name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security",
"refsource": "MISC",
"url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
}
]
},
"source": {
"advisory": "ICSMA-21-313-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Philips plans a new release to remediate these vulnerabilities by October 2022. As an interim mitigation to these vulnerabilities, Philips recommends the following:Users should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.Users with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. For more information regarding these vulnerabilities, see the Philips product security advisory website.Users can also visit the Philips product security website for the latest security information for Philips products."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-26262",
"datePublished": "2021-11-19T18:35:52.000Z",
"dateReserved": "2021-11-11T00:00:00.000Z",
"dateUpdated": "2026-04-02T13:44:46.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-21553 (GCVE-0-2021-21553)
Vulnerability from cvelistv5 – Published: 2021-08-02 23:45 – Updated: 2024-09-17 03:54- CWE-286 - Incorrect User Management
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/000188148 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
8.1.0-9.1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:16:23.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/000188148"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "8.1.0-9.1.0"
}
]
}
],
"datePublic": "2021-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286: Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-02T23:45:14.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/kbdoc/000188148"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2021-06-09",
"ID": "CVE-2021-21553",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerScale OneFS",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "8.1.0-9.1.0"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest."
}
]
},
"impact": {
"cvss": {
"baseScore": 7.3,
"baseSeverity": "High",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-286: Incorrect User Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/kbdoc/000188148",
"refsource": "MISC",
"url": "https://www.dell.com/support/kbdoc/000188148"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2021-21553",
"datePublished": "2021-08-02T23:45:14.588Z",
"dateReserved": "2021-01-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:54:58.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-4GFW-WF7C-W6G2
Vulnerability from github – Published: 2024-10-10 16:43 – Updated: 2024-10-10 16:43CVE description:
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
----- original report -----
Cause
authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.
authd only checks for uniqueness within its local cache, which
- may be inconsistent across multiple systems within the same domain ;
- may be purged, due to being stored in /var/cache ;
- automatically removes entries of users who have not logged into that specific system within the last 6 months.
The current GenerateID method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),
repeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2³¹[ :
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188
Previous versions are affected by similar issues, though without the use of a cryptographic hash in GenerateID, making exploitation computationally-easier.
Impact
Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can
- register multiple users with colliding IDs, or
- register a single user whose ID collides with a target user's, whether one managed by authd, or a system user whose well-known ID is in a range which [overlaps authd's].
In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user. The attacker can bypass the uniqueness check in (at least) the following ways:
- engineer a situation where the system administrator purges /var/cache ;
- target a system account whose UID is in authd's range ;
- target an account which hasn't logged into a specific system in more than 6 months.
Note that this isn't limited to inactive accounts within the entire domain, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
- user alice is known to log into 1.example.com ;
- the attacker computes a preimage (a username which yields the same UID), let's call it bob ;
- the attacker creates the account bob and logs into 2.example.com, succeeding if alice hasn't (recently) logged into that system ;
- the attacker can now manipulate resources exposed on 2 as if they were alice; assuming /home is shared, they could manipulate ~alice/.ssh/authorized_keys, ~alice/.config, alice's shell's initialization file, etc.
Note: NFSv4's idmap mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an authd deployment)
- at that point, gaining code execution as alice on 1.example.com is usually trivial.
Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of GenerateID: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.
Remediation
The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:
- CERN uses cern_person_id: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
- Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called uid or uidNumber ;
- etc.
This is also supported by other commonplace identity providers, such as LDAP and Active Directory: https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber
MS Entra presumably supports this as well.
If that is not possible for some reason, architectural changes to authd would likely be required: assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache. Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.
Acknowledgements
Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ubuntu/authd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20230706090440-d8cb2d561419"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9312"
],
"database_specific": {
"cwe_ids": [
"CWE-286"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-10T16:43:58Z",
"nvd_published_at": "2024-10-10T14:15:05Z",
"severity": "MODERATE"
},
"details": "CVE description:\n\nAuthd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user\u0027s ID and gain their privileges.\n\n\n----- original report -----\n# Cause\nauthd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.\n\n`authd` only checks for uniqueness [within its local cache](https://github.com/ubuntu/authd/blob/4946962aa4ac6e5b7d2b53503026659581c73907/internal/users/cache/update.go#L67-L71), which\n- may be inconsistent across multiple systems within the same domain ;\n- may be purged, due to being stored in `/var/cache` ;\n- automatically removes entries of users who have not logged into that specific system within the last 6 months.\n\nThe current `GenerateID` method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),\nrepeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2\u00b3\u00b9[ :\nhttps://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425\nhttps://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188\n\nPrevious versions are affected by similar issues, though without the use of a cryptographic hash in `GenerateID`, making exploitation computationally-easier.\n\n\n# Impact\n\nSince GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can\n- register multiple users with colliding IDs, or\n- register a single user whose ID collides with a target user\u0027s, whether one managed by `authd`, or a system user whose well-known ID is in a range which [overlaps `authd`\u0027s].\n\nIn the latter case, as all access control performed by the Linux kernel (and other Unices\u0027 kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user. The attacker can bypass the uniqueness check in (at least) the following ways:\n- engineer a situation where the system administrator purges `/var/cache` ;\n- target a system account [whose UID is in `authd`\u0027s range](https://github.com/ubuntu/authd/issues/547) ;\n- target an account which hasn\u0027t logged into a specific system in more than 6 months.\n Note that this isn\u0027t limited to inactive accounts *within the entire domain*, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:\n - user `alice` is known to log into `1.example.com` ;\n - the attacker computes a preimage (a username which yields the same UID), let\u0027s call it `bob` ;\n - the attacker creates the account `bob` and logs into `2.example.com`, succeeding if alice hasn\u0027t (recently) logged into that system ;\n - the attacker can now manipulate resources exposed on `2` as if they were alice; assuming `/home` is shared, they could manipulate `~alice/.ssh/authorized_keys`, `~alice/.config`, alice\u0027s shell\u0027s initialization file, etc.\n Note: NFSv4\u0027s `idmap` mechanism may prevent this, but isn\u0027t enabled by default (unless Kerberos is used, which isn\u0027t the case in an `authd` deployment)\n - at that point, gaining code execution as alice on `1.example.com` is usually trivial.\n\nSince the necessary computation can be performed entirely offline, this wouldn\u0027t be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2\u00b3\u00b9 computations of `GenerateID`: assuming SHA-256\u0027s cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (\u226432B) generated usernames, this is less than 10 minutes of a single core\u0027s time.\n\n[overlaps `authd`\u0027s]: https://github.com/ubuntu/authd/issues/547\n\n# Remediation\n\nThe simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.\nIn OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there\u0027s no real standard:\n- CERN uses `cern_person_id`: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;\n- Okta, Zitadel, and many other IdPs, require the realm\u0027s administrator to define a custom attribute, conventionally called `uid` or `uidNumber` ;\n- etc.\n\nThis is also supported by other commonplace identity providers, such as LDAP and Active Directory:\nhttps://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber\n\nMS Entra presumably supports this as well.\n\n\nIf that is not possible for some reason, architectural changes to authd would likely be required:\nassigning user IDs from a small space (such as Linux\u0027s 32b UIDs) requires mutable state to ensure uniqueness, whereas authd\u0027s design currently assumes no mutable state is held, aside from some transient, local cache.\nMoreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.\n\n\n# Acknowledgements\n\nThanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.",
"id": "GHSA-4gfw-wf7c-w6g2",
"modified": "2024-10-10T16:43:58Z",
"published": "2024-10-10T16:43:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ubuntu/authd/security/advisories/GHSA-4gfw-wf7c-w6g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9312"
},
{
"type": "PACKAGE",
"url": "https://github.com/ubuntu/authd"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9312"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Authd allows attacker-controlled usernames to yield controllable UIDs"
}
GHSA-4W92-QGPC-QCC9
Vulnerability from github – Published: 2025-08-11 21:31 – Updated: 2025-08-11 21:31A vulnerability in ABB Aspect.This issue affects Aspect: before <3.08.04-s01.
{
"affected": [],
"aliases": [
"CVE-2025-53190"
],
"database_specific": {
"cwe_ids": [
"CWE-286"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T19:15:29Z",
"severity": "HIGH"
},
"details": "A vulnerability in ABB Aspect.This issue affects Aspect: before \u003c3.08.04-s01.",
"id": "GHSA-4w92-qgpc-qcc9",
"modified": "2025-08-11T21:31:40Z",
"published": "2025-08-11T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53190"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5WVF-7FQ8-M4W6
Vulnerability from github – Published: 2024-08-07 12:31 – Updated: 2025-03-17 09:31Incorrect User Management vulnerability in Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations. This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.
{
"affected": [],
"aliases": [
"CVE-2024-7266"
],
"database_specific": {
"cwe_ids": [
"CWE-286",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T11:15:46Z",
"severity": "HIGH"
},
"details": "Incorrect User Management vulnerability in Naukowa i Akademicka Sie\u0107 Komputerowa - Pa\u0144stwowy Instytut Badawczy EZD RP allows logged-in user to list all users in the system, including those from other organizations.\u00a0This issue affects EZD RP: from 15 before 15.84, from 16 before 16.15, from 17 before 17.2.",
"id": "GHSA-5wvf-7fq8-m4w6",
"modified": "2025-03-17T09:31:01Z",
"published": "2024-08-07T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7266"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/08/CVE-2023-7265"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/08/CVE-2024-7265"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/08/CVE-2023-7265"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/08/CVE-2024-7265"
},
{
"type": "WEB",
"url": "https://www.gov.pl/web/ezd-rp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:D/RE:L/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-5X88-X3VG-442P
Vulnerability from github – Published: 2023-09-29 09:30 – Updated: 2024-04-04 07:58An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.
{
"affected": [],
"aliases": [
"CVE-2023-3115"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-286"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T07:15:13Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories.",
"id": "GHSA-5x88-x3vg-442p",
"modified": "2024-04-04T07:58:07Z",
"published": "2023-09-29T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3115"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2004158"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/414367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6F6C-487W-2449
Vulnerability from github – Published: 2023-09-29 09:30 – Updated: 2024-04-04 07:58A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.
{
"affected": [],
"aliases": [
"CVE-2023-3914"
],
"database_specific": {
"cwe_ids": [
"CWE-286"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T07:15:13Z",
"severity": "MODERATE"
},
"details": "A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.",
"id": "GHSA-6f6c-487w-2449",
"modified": "2024-04-04T07:58:10Z",
"published": "2023-09-29T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3914"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2040822"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/418115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-87X6-8M9V-G8C2
Vulnerability from github – Published: 2024-04-10 15:30 – Updated: 2024-08-01 15:31A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
{
"affected": [],
"aliases": [
"CVE-2024-29296"
],
"database_specific": {
"cwe_ids": [
"CWE-286"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T15:16:05Z",
"severity": "MODERATE"
},
"details": "A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.",
"id": "GHSA-87x6-8m9v-g8c2",
"modified": "2024-08-01T15:31:38Z",
"published": "2024-04-10T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29296"
},
{
"type": "WEB",
"url": "https://github.com/ThaySolis/CVE-2024-29296"
},
{
"type": "WEB",
"url": "http://portainer.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.