Fleet
CVE-2022-24841
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.
AnalysisAI
fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-284. fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue. Affected products include: Fleetdm Fleet. Version information: version 4.13..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord
Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticat
Fleet before 2.1.2 allows exposure of SMTP credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely e
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar res
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template dele
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attack
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated at
Fleet is an open source osquery manager. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today