CVE-2024-21622

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16	Release Notes
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16	Release Notes
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa	Patch
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843	Patch
https://github.com/craftcms/cms/pull/13931	Issue Tracking Patch
https://github.com/craftcms/cms/pull/13932	Issue Tracking Patch
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

History

No history.

Information

Published : 2024-01-03 17:15

Updated : 2024-01-10 18:34

NVD link : CVE-2024-21622

Mitre link : CVE-2024-21622

CVE.ORG link : CVE-2024-21622

JSON object : View

Products Affected

craftcms

craft_cms

CWE

NVD-CWE-noinfo CWE-269

Improper Privilege Management

{"id": "CVE-2024-21622", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-01-03T17:15:12.330", "references": [{"url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/pull/13931", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/pull/13932", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos. Esta es una posible vulnerabilidad de escalada de privilegios de baja complejidad y impacto moderado en Craft a partir de 3.x anterior a 3.9.6 y 4.x anterior a 4.4.16 con ciertas configuraciones de permisos de usuario. Esto se ha solucionado en Craft 4.4.16 y Craft 3.9.6. Los usuarios deben asegurarse de estar ejecutando al menos esas versiones."}], "lastModified": "2024-01-10T18:34:46.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36AC4498-6DDF-4F74-BD12-86BF5479F10A", "versionEndExcluding": "3.9.6", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B004CCA-A979-42AD-ADD4-1BEFDB964C78", "versionEndIncluding": "4.5.15", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}