CVE-2024-21622 - Vulnerability Details - OpenCVE

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Craftcms	Craft Cms

Configuration 1 [-]

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

No data.

References

Link	Providers
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx

History

Thu, 17 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-03T16:51:25.704Z

Updated: 2025-04-17T18:35:24.623Z

Reserved: 2023-12-29T03:00:44.953Z

Link: CVE-2024-21622

Vulnrichment

Updated: 2024-08-01T22:27:35.206Z

NVD

Status : Modified

Published: 2024-01-03T17:15:12.330

Modified: 2024-11-21T08:54:44.617

Link: CVE-2024-21622

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21622", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.953Z", "datePublished": "2024-01-03T16:51:25.704Z", "dateUpdated": "2025-04-17T18:35:24.623Z"}, "containers": {"cna": {"title": "Craft CMS Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}, {"name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.0.0-RC1, < 4.5.11", "status": "affected"}, {"version": ">= 3.0.0, < 3.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T16:51:25.704Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}], "source": {"advisory": "GHSA-j5g9-j7r4-6qvx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.206Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}, {"name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-08T17:11:55.447281Z", "id": "CVE-2024-21622", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T18:35:24.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/pull/13931", "name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/pull/13932", "name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.206Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-08T17:11:55.447281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T18:35:14.676Z"}}], "cna": {"title": "Craft CMS Privilege Escalation", "source": {"advisory": "GHSA-j5g9-j7r4-6qvx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.5.11"}, {"status": "affected", "version": ">= 3.0.0, < 3.9.6"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/pull/13931", "name": "https://github.com/craftcms/cms/pull/13931", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/pull/13932", "name": "https://github.com/craftcms/cms/pull/13932", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "name": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "name": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "name": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-03T16:51:25.704Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21622", "state": "PUBLISHED", "dateUpdated": "2025-04-17T18:35:24.623Z", "dateReserved": "2023-12-29T03:00:44.953Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-03T16:51:25.704Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "36AC4498-6DDF-4F74-BD12-86BF5479F10A", "versionEndExcluding": "3.9.6", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B004CCA-A979-42AD-ADD4-1BEFDB964C78", "versionEndIncluding": "4.5.15", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos. Esta es una posible vulnerabilidad de escalada de privilegios de baja complejidad y impacto moderado en Craft a partir de 3.x anterior a 3.9.6 y 4.x anterior a 4.4.16 con ciertas configuraciones de permisos de usuario. Esto se ha solucionado en Craft 4.4.16 y Craft 3.9.6. Los usuarios deben asegurarse de estar ejecutando al menos esas versiones."}], "id": "CVE-2024-21622", "lastModified": "2024-11-21T08:54:44.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-03T17:15:12.330", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13931"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/craftcms/cms/pull/13932"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}