Ubuntu.comUB:CVE-2022-24841CVE-2022-24841
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
27.0%
fleetdm/fleet is an open source device management, built on osquery. All
versions of fleet making use of the teams feature are affected by this
authorization bypass issue. Fleet instances without teams, or with teams
but without restricted team accounts are not affected. In affected versions
a team admin can erroneously add themselves as admin, maintainer or
observer on other teams. Users are advised to upgrade to version 4.13.
There are no known workarounds for this issue.
References
github.com/fleetdm/fleet/commit/da171d3b8d149c30b8307723cbe6b6e8847cb30c
github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr
launchpad.net/bugs/cve/CVE-2022-24841
nvd.nist.gov/vuln/detail/CVE-2022-24841
security-tracker.debian.org/tracker/CVE-2022-24841
www.cve.org/CVERecord?id=CVE-2022-24841
Related
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
27.0%