CVE-2022-24841

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-24841

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24841.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-24841

Aliases

GHSA-pr2g-j78h-84cr

Downstream

UBUNTU-CVE-2022-24841

Published

2022-04-18T21:20:10Z

Modified

2025-11-28T03:46:04.950333Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Authorization in github.com/fleetdm/fleet

Details

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-284",
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24841.json"
}

References

Affected packages

Git / github.com/fleetdm/fleet

Affected ranges

Type: GIT
Repo: https://github.com/fleetdm/fleet
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1d0d92c8656a23ff2387e242ca7f57e239fb0cce

Affected versions

1.*

1.0.0

1.0.0-rc1

1.0.0-rc2

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

2.*

2.0.0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

2.0.0-rc5

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

3.*

3.0.0

3.1.0

3.10.0

3.10.1

3.11.0

3.12.0

3.13.0

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

3.6.0

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

3.9.0

fleet-v4.*

fleet-v4.10.0

fleet-v4.11.0

fleet-v4.12.0

fleet-v4.2.0

fleet-v4.2.2

fleet-v4.3.0

fleet-v4.3.1

fleet-v4.4.0

fleet-v4.5.0

fleet-v4.6.0

fleet-v4.6.1

fleet-v4.7.0

fleet-v4.8.0

orbit-v0.*

orbit-v0.0.4

orbit-v0.0.5

orbit-v0.0.6

orbit-v0.0.7

v0.*

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v4.*

v4.0.0

v4.0.0-rc1

v4.0.0-rc2

v4.0.0-rc3

v4.0.1

v4.1.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24841.json"