Improper Authentication in authd - CVE-2024-9313
Published: October 5, 2024 / Updated: April 24, 2026
Vulnerability identifier: #VU98047
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-9313
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Canonical Ltd.
Affected software:
authd
authd
Detailed vulnerability description
The vulnerability allows a remote user to impersonate other users.
The vulnerability exists due to an error in the authd PAM module that cal allow broker-managed users to impersonate any other user managed by the same
broker and perform any PAM operation with it, including authenticating
as them. A remote user can use tools such as su, sudo or ssh (and potentially others) that, so far, do not ensure that the PAM user at the end of the transaction is matching the one who initiated the transaction.
How to mitigate CVE-2024-9313
Install updates from vendor's website.