Advisories for Golang/Github.com/Ubuntu/Authd package

2025

New authd users logging in via SSH are members of the root group

When an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not …

2024

Authd allows attacker-controlled usernames to yield controllable UIDs

CVE description: Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. —– original report —–

PAM module may allow accessing with the credentials of another user

An user can access as another user using its own credentials