Candidate: CVE-2022-24841
PublicDate: 2022-04-18 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24841
 https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr
 https://github.com/fleetdm/fleet/commit/da171d3b8d149c30b8307723cbe6b6e8847cb30c
Description:
 fleetdm/fleet is an open source device management, built on osquery. All
 versions of fleet making use of the teams feature are affected by this
 authorization bypass issue. Fleet instances without teams, or with teams
 but without restricted team accounts are not affected. In affected versions
 a team admin can erroneously add themselves as admin, maintainer or
 observer on other teams. Users are advised to upgrade to version 4.13.
 There are no known workarounds for this issue.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N [8.1 HIGH]


Patches_fleet:
upstream_fleet: needs-triage
trusty_fleet: ignored (out of standard support)
xenial_fleet: ignored (out of standard support)