Lucene search

GoogleOSV:GHSA-J5G9-J7R4-6QVX

HistoryJan 03, 2024 - 9:50 p.m.

Craft CMS Privilege Escalation

2024-01-0321:50:26

Google

osv.dev

craft cms

privilege escalation

vulnerability

impact

low complexity

fixed

user permissions

updates

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

31.8%

JSON

Impact

This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft with certain user permissions setups.

Patches

This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

References

https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

References

github.com/craftcms/cms

github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16

github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16

github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa

github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843

github.com/craftcms/cms/pull/13931

github.com/craftcms/cms/pull/13932

github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx

nvd.nist.gov/vuln/detail/CVE-2024-21622

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

31.8%

JSON

Related for OSV:GHSA-J5G9-J7R4-6QVX