CVE-2024-38164 - Vulnerability Details - OpenCVE

An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Microsoft	Groupme

Configuration 1 [-]

cpe:2.3:a:microsoft:groupme:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164

History

Tue, 10 Dec 2024 19:30:00 +0000

Type	Values Removed	Values Added
Description	An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network.	An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.

Tue, 10 Dec 2024 18:00:00 +0000

Type	Values Removed	Values Added
Description	An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.	An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network.
CPEs	cpe:2.3:a:microsoft:groupme::::::::

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Sep 2024 22:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:microsoft:groupme:-:::::::*

Wed, 14 Aug 2024 07:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2024-07-23T21:26:49.040Z

Updated: 2025-03-11T16:40:33.651Z

Reserved: 2024-06-11T22:36:08.211Z

Link: CVE-2024-38164

Vulnrichment

Updated: 2024-08-02T04:04:25.345Z

NVD

Status : Modified

Published: 2024-07-23T22:15:08.420

Modified: 2024-11-21T09:25:00.093

Link: CVE-2024-38164

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38164", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2024-06-11T22:36:08.211Z", "datePublished": "2024-07-23T21:26:49.040Z", "dateUpdated": "2025-03-11T16:40:33.651Z"}, "containers": {"cna": {"title": "GroupMe Elevation of Privilege Vulnerability", "datePublic": "2024-07-23T07:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:groupme:*:*:*:*:*:*:*:*", "versionStartIncluding": "N/A"}]}]}], "affected": [{"vendor": "Microsoft", "product": "GroupMe", "platforms": ["Unknown"], "versions": [{"version": "N/A", "status": "affected"}]}], "descriptions": [{"value": "An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-03-11T16:40:33.651Z"}, "references": [{"name": "GroupMe Elevation of Privilege Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-38164"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T03:55:21.289Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.345Z"}, "title": "CVE Program Container", "references": [{"name": "GroupMe Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164", "name": "GroupMe Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.345Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-24T14:58:58.746790Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:59:11.469Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "GroupMe Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.6, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "GroupMe", "versions": [{"status": "affected", "version": "N/A"}], "platforms": ["Unknown"]}], "datePublic": "2024-07-23T07:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164", "name": "GroupMe Elevation of Privilege Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:groupme:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "N/A"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-03-11T16:40:33.651Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38164", "state": "PUBLISHED", "dateUpdated": "2025-03-11T16:40:33.651Z", "dateReserved": "2024-06-11T22:36:08.211Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-07-23T21:26:49.040Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:groupme:-:*:*:*:*:*:*:*", "matchCriteriaId": "82A87C08-6EC5-4BFB-A4E4-57D6A3EA2B39", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link."}, {"lang": "es", "value": " Una vulnerabilidad de control de acceso inadecuado en GroupMe permite a un atacante no autenticado elevar los privilegios en una red convenciendo a un usuario de hacer clic en un enlace malicioso."}], "id": "CVE-2024-38164", "lastModified": "2024-11-21T09:25:00.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-23T22:15:08.420", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38164"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Secondary"}]}