OpenCVE

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Craftcms	Craft Cms

Configuration 1 [-]

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

No data.

References

Link	Providers
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-03T16:51:25.704Z

Updated: 2024-08-01T22:27:35.206Z

Reserved: 2023-12-29T03:00:44.953Z

Link: CVE-2024-21622

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-03T17:15:12.330

Modified: 2024-01-10T18:34:46.497

Link: CVE-2024-21622

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21622", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.953Z", "datePublished": "2024-01-03T16:51:25.704Z", "dateUpdated": "2024-08-01T22:27:35.206Z"}, "containers": {"cna": {"title": "Craft CMS Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}, {"name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.0.0-RC1, < 4.5.11", "status": "affected"}, {"version": ">= 3.0.0, < 3.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T16:51:25.704Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}], "source": {"advisory": "GHSA-j5g9-j7r4-6qvx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.206Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}, {"name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "36AC4498-6DDF-4F74-BD12-86BF5479F10A", "versionEndExcluding": "3.9.6", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B004CCA-A979-42AD-ADD4-1BEFDB964C78", "versionEndIncluding": "4.5.15", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos. Esta es una posible vulnerabilidad de escalada de privilegios de baja complejidad y impacto moderado en Craft a partir de 3.x anterior a 3.9.6 y 4.x anterior a 4.4.16 con ciertas configuraciones de permisos de usuario. Esto se ha solucionado en Craft 4.4.16 y Craft 3.9.6. Los usuarios deben asegurarse de estar ejecutando al menos esas versiones."}], "id": "CVE-2024-21622", "lastModified": "2024-01-10T18:34:46.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-03T17:15:12.330", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}