Common Weakness Enumeration

CWE-1220

Allowed

Insufficient Granularity of Access Control

Abstraction: Base · Status: Incomplete

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

176 vulnerabilities reference this CWE, most recent first.

CVE-2024-33058 (GCVE-0-2024-33058)

Vulnerability from cvelistv5 – Published: 2025-04-07 10:15 – Updated: 2025-04-07 16:06
VLAI
Title
Insufficient Granularity of Access Control in Core
Summary
Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
Impacted products
Vendor Product Version
Qualcomm, Inc. Snapdragon Affected: AQT1000
Affected: AR8035
Affected: FastConnect 6200
Affected: FastConnect 6700
Affected: FastConnect 6800
Affected: FastConnect 6900
Affected: FastConnect 7800
Affected: QAM8255P
Affected: QAM8295P
Affected: QAM8620P
Affected: QAM8650P
Affected: QAM8775P
Affected: QAMSRV1H
Affected: QAMSRV1M
Affected: QCA6174A
Affected: QCA6310
Affected: QCA6335
Affected: QCA6391
Affected: QCA6420
Affected: QCA6421
Affected: QCA6426
Affected: QCA6430
Affected: QCA6431
Affected: QCA6436
Affected: QCA6564A
Affected: QCA6564AU
Affected: QCA6574
Affected: QCA6574A
Affected: QCA6574AU
Affected: QCA6584AU
Affected: QCA6595
Affected: QCA6595AU
Affected: QCA6678AQ
Affected: QCA6688AQ
Affected: QCA6696
Affected: QCA6698AQ
Affected: QCA6797AQ
Affected: QCA8081
Affected: QCA8337
Affected: QCA9377
Affected: QCC710
Affected: QCM5430
Affected: QCM6490
Affected: QCM8550
Affected: QCN6224
Affected: QCN6274
Affected: QCN9274
Affected: QCS5430
Affected: QCS6490
Affected: QCS8300
Affected: QCS8550
Affected: QCS9100
Affected: QDU1000
Affected: QDU1010
Affected: QDU1110
Affected: QDU1210
Affected: QDX1010
Affected: QDX1011
Affected: QEP8111
Affected: QFW7114
Affected: QFW7124
Affected: QMP1000
Affected: QRU1032
Affected: QRU1052
Affected: QRU1062
Affected: QSM8350
Affected: Qualcomm Video Collaboration VC3 Platform
Affected: Robotics RB3 Platform
Affected: SA6145P
Affected: SA6155
Affected: SA6155P
Affected: SA7255P
Affected: SA7775P
Affected: SA8150P
Affected: SA8155
Affected: SA8155P
Affected: SA8255P
Affected: SA8295P
Affected: SA8540P
Affected: SA8620P
Affected: SA8650P
Affected: SA8770P
Affected: SA8775P
Affected: SA9000P
Affected: SC8380XP
Affected: SD 675
Affected: SD 8 Gen1 5G
Affected: SD 8CX
Affected: SD670
Affected: SD675
Affected: SD855
Affected: SD865 5G
Affected: SDX55
Affected: SDX57M
Affected: SDX80M
Affected: SM4635
Affected: SM6650
Affected: SM7250P
Affected: SM7635
Affected: SM7675
Affected: SM7675P
Affected: SM8635
Affected: SM8635P
Affected: SM8650Q
Affected: SM8735
Affected: SM8750
Affected: SM8750P
Affected: Snapdragon 670 Mobile Platform
Affected: Snapdragon 675 Mobile Platform
Affected: Snapdragon 678 Mobile Platform (SM6150-AC)
Affected: Snapdragon 765 5G Mobile Platform (SM7250-AA)
Affected: Snapdragon 765G 5G Mobile Platform (SM7250-AB)
Affected: Snapdragon 768G 5G Mobile Platform (SM7250-AC)
Affected: Snapdragon 8 Gen 1 Mobile Platform
Affected: Snapdragon 8 Gen 3 Mobile Platform
Affected: Snapdragon 845 Mobile Platform
Affected: Snapdragon 850 Mobile Compute Platform
Affected: Snapdragon 855 Mobile Platform
Affected: Snapdragon 855+/860 Mobile Platform (SM8150-AC)
Affected: Snapdragon 865 5G Mobile Platform
Affected: Snapdragon 865+ 5G Mobile Platform (SM8250-AB)
Affected: Snapdragon 870 5G Mobile Platform (SM8250-AC)
Affected: Snapdragon 888 5G Mobile Platform
Affected: Snapdragon 888+ 5G Mobile Platform (SM8350-AC)
Affected: Snapdragon 8c Compute Platform (SC8180X-AD) "Poipu Lite"
Affected: Snapdragon 8c Compute Platform (SC8180XP-AD) "Poipu Lite"
Affected: Snapdragon 8cx Compute Platform (SC8180X-AA, AB)
Affected: Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) "Poipu Pro"
Affected: Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) "Poipu Pro"
Affected: Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB)
Affected: Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB)
Affected: Snapdragon AR1 Gen 1 Platform
Affected: Snapdragon AR1 Gen 1 Platform "Luna1"
Affected: Snapdragon AR2 Gen 1 Platform
Affected: Snapdragon Auto 5G Modem-RF Gen 2
Affected: Snapdragon X24 LTE Modem
Affected: Snapdragon X35 5G Modem-RF System
Affected: Snapdragon X50 5G Modem-RF System
Affected: Snapdragon X55 5G Modem-RF System
Affected: Snapdragon X62 5G Modem-RF System
Affected: Snapdragon X65 5G Modem-RF System
Affected: Snapdragon X72 5G Modem-RF System
Affected: Snapdragon X75 5G Modem-RF System
Affected: Snapdragon XR2 5G Platform
Affected: SRV1H
Affected: SRV1L
Affected: SRV1M
Affected: SSG2115P
Affected: SSG2125P
Affected: SXR1230P
Affected: SXR2130
Affected: SXR2330P
Affected: Vision Intelligence 300 Platform
Affected: Vision Intelligence 400 Platform
Affected: WCD9326
Affected: WCD9340
Affected: WCD9341
Affected: WCD9370
Affected: WCD9375
Affected: WCD9378
Affected: WCD9380
Affected: WCD9385
Affected: WCD9390
Affected: WCD9395
Affected: WCN3950
Affected: WCN3980
Affected: WCN3988
Affected: WCN3990
Affected: WCN6450
Affected: WCN6650
Affected: WCN6755
Affected: WCN7750
Affected: WCN7860
Affected: WCN7861
Affected: WCN7880
Affected: WCN7881
Affected: WSA8810
Affected: WSA8815
Affected: WSA8830
Affected: WSA8832
Affected: WSA8835
Affected: WSA8840
Affected: WSA8845
Affected: WSA8845H
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-33058",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-07T16:05:48.684802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-07T16:06:36.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Snapdragon Auto",
            "Snapdragon Compute",
            "Snapdragon Consumer IOT",
            "Snapdragon Industrial IOT",
            "Snapdragon MDM",
            "Snapdragon Mobile",
            "Snapdragon Technology",
            "Snapdragon WBC"
          ],
          "product": "Snapdragon",
          "vendor": "Qualcomm, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "AQT1000"
            },
            {
              "status": "affected",
              "version": "AR8035"
            },
            {
              "status": "affected",
              "version": "FastConnect 6200"
            },
            {
              "status": "affected",
              "version": "FastConnect 6700"
            },
            {
              "status": "affected",
              "version": "FastConnect 6800"
            },
            {
              "status": "affected",
              "version": "FastConnect 6900"
            },
            {
              "status": "affected",
              "version": "FastConnect 7800"
            },
            {
              "status": "affected",
              "version": "QAM8255P"
            },
            {
              "status": "affected",
              "version": "QAM8295P"
            },
            {
              "status": "affected",
              "version": "QAM8620P"
            },
            {
              "status": "affected",
              "version": "QAM8650P"
            },
            {
              "status": "affected",
              "version": "QAM8775P"
            },
            {
              "status": "affected",
              "version": "QAMSRV1H"
            },
            {
              "status": "affected",
              "version": "QAMSRV1M"
            },
            {
              "status": "affected",
              "version": "QCA6174A"
            },
            {
              "status": "affected",
              "version": "QCA6310"
            },
            {
              "status": "affected",
              "version": "QCA6335"
            },
            {
              "status": "affected",
              "version": "QCA6391"
            },
            {
              "status": "affected",
              "version": "QCA6420"
            },
            {
              "status": "affected",
              "version": "QCA6421"
            },
            {
              "status": "affected",
              "version": "QCA6426"
            },
            {
              "status": "affected",
              "version": "QCA6430"
            },
            {
              "status": "affected",
              "version": "QCA6431"
            },
            {
              "status": "affected",
              "version": "QCA6436"
            },
            {
              "status": "affected",
              "version": "QCA6564A"
            },
            {
              "status": "affected",
              "version": "QCA6564AU"
            },
            {
              "status": "affected",
              "version": "QCA6574"
            },
            {
              "status": "affected",
              "version": "QCA6574A"
            },
            {
              "status": "affected",
              "version": "QCA6574AU"
            },
            {
              "status": "affected",
              "version": "QCA6584AU"
            },
            {
              "status": "affected",
              "version": "QCA6595"
            },
            {
              "status": "affected",
              "version": "QCA6595AU"
            },
            {
              "status": "affected",
              "version": "QCA6678AQ"
            },
            {
              "status": "affected",
              "version": "QCA6688AQ"
            },
            {
              "status": "affected",
              "version": "QCA6696"
            },
            {
              "status": "affected",
              "version": "QCA6698AQ"
            },
            {
              "status": "affected",
              "version": "QCA6797AQ"
            },
            {
              "status": "affected",
              "version": "QCA8081"
            },
            {
              "status": "affected",
              "version": "QCA8337"
            },
            {
              "status": "affected",
              "version": "QCA9377"
            },
            {
              "status": "affected",
              "version": "QCC710"
            },
            {
              "status": "affected",
              "version": "QCM5430"
            },
            {
              "status": "affected",
              "version": "QCM6490"
            },
            {
              "status": "affected",
              "version": "QCM8550"
            },
            {
              "status": "affected",
              "version": "QCN6224"
            },
            {
              "status": "affected",
              "version": "QCN6274"
            },
            {
              "status": "affected",
              "version": "QCN9274"
            },
            {
              "status": "affected",
              "version": "QCS5430"
            },
            {
              "status": "affected",
              "version": "QCS6490"
            },
            {
              "status": "affected",
              "version": "QCS8300"
            },
            {
              "status": "affected",
              "version": "QCS8550"
            },
            {
              "status": "affected",
              "version": "QCS9100"
            },
            {
              "status": "affected",
              "version": "QDU1000"
            },
            {
              "status": "affected",
              "version": "QDU1010"
            },
            {
              "status": "affected",
              "version": "QDU1110"
            },
            {
              "status": "affected",
              "version": "QDU1210"
            },
            {
              "status": "affected",
              "version": "QDX1010"
            },
            {
              "status": "affected",
              "version": "QDX1011"
            },
            {
              "status": "affected",
              "version": "QEP8111"
            },
            {
              "status": "affected",
              "version": "QFW7114"
            },
            {
              "status": "affected",
              "version": "QFW7124"
            },
            {
              "status": "affected",
              "version": "QMP1000"
            },
            {
              "status": "affected",
              "version": "QRU1032"
            },
            {
              "status": "affected",
              "version": "QRU1052"
            },
            {
              "status": "affected",
              "version": "QRU1062"
            },
            {
              "status": "affected",
              "version": "QSM8350"
            },
            {
              "status": "affected",
              "version": "Qualcomm Video Collaboration VC3 Platform"
            },
            {
              "status": "affected",
              "version": "Robotics RB3 Platform"
            },
            {
              "status": "affected",
              "version": "SA6145P"
            },
            {
              "status": "affected",
              "version": "SA6155"
            },
            {
              "status": "affected",
              "version": "SA6155P"
            },
            {
              "status": "affected",
              "version": "SA7255P"
            },
            {
              "status": "affected",
              "version": "SA7775P"
            },
            {
              "status": "affected",
              "version": "SA8150P"
            },
            {
              "status": "affected",
              "version": "SA8155"
            },
            {
              "status": "affected",
              "version": "SA8155P"
            },
            {
              "status": "affected",
              "version": "SA8255P"
            },
            {
              "status": "affected",
              "version": "SA8295P"
            },
            {
              "status": "affected",
              "version": "SA8540P"
            },
            {
              "status": "affected",
              "version": "SA8620P"
            },
            {
              "status": "affected",
              "version": "SA8650P"
            },
            {
              "status": "affected",
              "version": "SA8770P"
            },
            {
              "status": "affected",
              "version": "SA8775P"
            },
            {
              "status": "affected",
              "version": "SA9000P"
            },
            {
              "status": "affected",
              "version": "SC8380XP"
            },
            {
              "status": "affected",
              "version": "SD 675"
            },
            {
              "status": "affected",
              "version": "SD 8 Gen1 5G"
            },
            {
              "status": "affected",
              "version": "SD 8CX"
            },
            {
              "status": "affected",
              "version": "SD670"
            },
            {
              "status": "affected",
              "version": "SD675"
            },
            {
              "status": "affected",
              "version": "SD855"
            },
            {
              "status": "affected",
              "version": "SD865 5G"
            },
            {
              "status": "affected",
              "version": "SDX55"
            },
            {
              "status": "affected",
              "version": "SDX57M"
            },
            {
              "status": "affected",
              "version": "SDX80M"
            },
            {
              "status": "affected",
              "version": "SM4635"
            },
            {
              "status": "affected",
              "version": "SM6650"
            },
            {
              "status": "affected",
              "version": "SM7250P"
            },
            {
              "status": "affected",
              "version": "SM7635"
            },
            {
              "status": "affected",
              "version": "SM7675"
            },
            {
              "status": "affected",
              "version": "SM7675P"
            },
            {
              "status": "affected",
              "version": "SM8635"
            },
            {
              "status": "affected",
              "version": "SM8635P"
            },
            {
              "status": "affected",
              "version": "SM8650Q"
            },
            {
              "status": "affected",
              "version": "SM8735"
            },
            {
              "status": "affected",
              "version": "SM8750"
            },
            {
              "status": "affected",
              "version": "SM8750P"
            },
            {
              "status": "affected",
              "version": "Snapdragon 670 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 675 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 678 Mobile Platform (SM6150-AC)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 765 5G Mobile Platform (SM7250-AA)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 765G 5G Mobile Platform (SM7250-AB)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 768G 5G Mobile Platform (SM7250-AC)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 8 Gen 1 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 8 Gen 3 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 845 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 850 Mobile Compute Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 855 Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 855+/860 Mobile Platform (SM8150-AC)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 865 5G Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 865+ 5G Mobile Platform (SM8250-AB)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 870 5G Mobile Platform (SM8250-AC)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 888 5G Mobile Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon 888+ 5G Mobile Platform (SM8350-AC)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 8c Compute Platform (SC8180X-AD) \"Poipu Lite\""
            },
            {
              "status": "affected",
              "version": "Snapdragon 8c Compute Platform (SC8180XP-AD) \"Poipu Lite\""
            },
            {
              "status": "affected",
              "version": "Snapdragon 8cx Compute Platform (SC8180X-AA, AB)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 8cx Compute Platform (SC8180XP-AC, AF) \"Poipu Pro\""
            },
            {
              "status": "affected",
              "version": "Snapdragon 8cx Gen 2 5G Compute Platform (SC8180X-AC, AF) \"Poipu Pro\""
            },
            {
              "status": "affected",
              "version": "Snapdragon 8cx Gen 2 5G Compute Platform (SC8180XP-AA, AB)"
            },
            {
              "status": "affected",
              "version": "Snapdragon 8cx Gen 3 Compute Platform (SC8280XP-AB, BB)"
            },
            {
              "status": "affected",
              "version": "Snapdragon AR1 Gen 1 Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon AR1 Gen 1 Platform \"Luna1\""
            },
            {
              "status": "affected",
              "version": "Snapdragon AR2 Gen 1 Platform"
            },
            {
              "status": "affected",
              "version": "Snapdragon Auto 5G Modem-RF Gen 2"
            },
            {
              "status": "affected",
              "version": "Snapdragon X24 LTE Modem"
            },
            {
              "status": "affected",
              "version": "Snapdragon X35 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X50 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X55 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X62 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X65 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X72 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon X75 5G Modem-RF System"
            },
            {
              "status": "affected",
              "version": "Snapdragon XR2 5G Platform"
            },
            {
              "status": "affected",
              "version": "SRV1H"
            },
            {
              "status": "affected",
              "version": "SRV1L"
            },
            {
              "status": "affected",
              "version": "SRV1M"
            },
            {
              "status": "affected",
              "version": "SSG2115P"
            },
            {
              "status": "affected",
              "version": "SSG2125P"
            },
            {
              "status": "affected",
              "version": "SXR1230P"
            },
            {
              "status": "affected",
              "version": "SXR2130"
            },
            {
              "status": "affected",
              "version": "SXR2330P"
            },
            {
              "status": "affected",
              "version": "Vision Intelligence 300 Platform"
            },
            {
              "status": "affected",
              "version": "Vision Intelligence 400 Platform"
            },
            {
              "status": "affected",
              "version": "WCD9326"
            },
            {
              "status": "affected",
              "version": "WCD9340"
            },
            {
              "status": "affected",
              "version": "WCD9341"
            },
            {
              "status": "affected",
              "version": "WCD9370"
            },
            {
              "status": "affected",
              "version": "WCD9375"
            },
            {
              "status": "affected",
              "version": "WCD9378"
            },
            {
              "status": "affected",
              "version": "WCD9380"
            },
            {
              "status": "affected",
              "version": "WCD9385"
            },
            {
              "status": "affected",
              "version": "WCD9390"
            },
            {
              "status": "affected",
              "version": "WCD9395"
            },
            {
              "status": "affected",
              "version": "WCN3950"
            },
            {
              "status": "affected",
              "version": "WCN3980"
            },
            {
              "status": "affected",
              "version": "WCN3988"
            },
            {
              "status": "affected",
              "version": "WCN3990"
            },
            {
              "status": "affected",
              "version": "WCN6450"
            },
            {
              "status": "affected",
              "version": "WCN6650"
            },
            {
              "status": "affected",
              "version": "WCN6755"
            },
            {
              "status": "affected",
              "version": "WCN7750"
            },
            {
              "status": "affected",
              "version": "WCN7860"
            },
            {
              "status": "affected",
              "version": "WCN7861"
            },
            {
              "status": "affected",
              "version": "WCN7880"
            },
            {
              "status": "affected",
              "version": "WCN7881"
            },
            {
              "status": "affected",
              "version": "WSA8810"
            },
            {
              "status": "affected",
              "version": "WSA8815"
            },
            {
              "status": "affected",
              "version": "WSA8830"
            },
            {
              "status": "affected",
              "version": "WSA8832"
            },
            {
              "status": "affected",
              "version": "WSA8835"
            },
            {
              "status": "affected",
              "version": "WSA8840"
            },
            {
              "status": "affected",
              "version": "WSA8845"
            },
            {
              "status": "affected",
              "version": "WSA8845H"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-07T10:15:30.276Z",
        "orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
        "shortName": "qualcomm"
      },
      "references": [
        {
          "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2025-bulletin.html"
        }
      ],
      "title": "Insufficient Granularity of Access Control in Core"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
    "assignerShortName": "qualcomm",
    "cveId": "CVE-2024-33058",
    "datePublished": "2025-04-07T10:15:30.276Z",
    "dateReserved": "2024-04-23T04:42:06.935Z",
    "dateUpdated": "2025-04-07T16:06:36.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-29200 (GCVE-0-2024-29200)

Vulnerability from cvelistv5 – Published: 2024-03-28 13:28 – Updated: 2024-08-02 01:10
VLAI
Title
API returns timesheet entries a user should not be authorized to view
Summary
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
Vendor Product Version
kimai kimai Affected: < 2.13.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29200",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-28T15:54:22.072724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:19.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:10:54.793Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kimai",
          "vendor": "kimai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-28T13:28:36.005Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
        }
      ],
      "source": {
        "advisory": "GHSA-cj3c-5xpm-cx94",
        "discovery": "UNKNOWN"
      },
      "title": "API returns timesheet entries a user should not be authorized to view"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29200",
    "datePublished": "2024-03-28T13:28:36.005Z",
    "dateReserved": "2024-03-18T17:07:00.096Z",
    "dateUpdated": "2024-08-02T01:10:54.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26246 (GCVE-0-2024-26246)

Vulnerability from cvelistv5 – Published: 2024-03-14 22:13 – Updated: 2025-05-03 00:46
VLAI
Title
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Summary
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
Vendor Product Version
Microsoft Microsoft Edge for Android Affected: 1.0.0 , < 122.0.2365.92 (custom)
Create a notification for this product.
Date Public
2024-03-14 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26246",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-22T04:37:37.084598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-25T15:57:14.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:17.881Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26246"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Unknown"
          ],
          "product": "Microsoft Edge for Android",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "122.0.2365.92",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*",
                  "versionEndExcluding": "122.0.2365.92",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2024-03-14T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-03T00:46:52.957Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26246"
        }
      ],
      "title": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2024-26246",
    "datePublished": "2024-03-14T22:13:03.101Z",
    "dateReserved": "2024-02-15T00:57:49.361Z",
    "dateUpdated": "2025-05-03T00:46:52.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-21971 (GCVE-0-2024-21971)

Vulnerability from cvelistv5 – Published: 2025-02-12 00:01 – Updated: 2025-09-23 21:26
VLAI
Summary
Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows® system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - - Insufficient Granularity of Access Control
Assigner
AMD
Impacted products
Vendor Product Version
AMD AMD Ryzen™ 5000 Series Desktop Processors Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (24.10.20)
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7000 Series Desktop Processors Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Affected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7030 Series Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Ryzen™ 7045 Series Mobile Processors Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ RX 5000 Series Graphics Products Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ PRO W5000 Series Graphics Products Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ RX 7000 Series Graphics Products Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ PRO W7000 Series Graphics Products Unaffected: AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ VII Unaffected: AMD Software: Adrenalin Edition 24.7.1 (23.19.16)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ PRO VII Unaffected: AMD Software: Adrenalin Edition 24.7.1 (23.19.16)
Unaffected: AMD Software: PRO Edition 24.Q2 (23.19.16.01)
Create a notification for this product.
AMD AMD Radeon™ Instinct™ MI25 Unknown: Contact your AMD Customer Engineering representative
Create a notification for this product.
AMD AMD Radeon™ PRO V520 Unknown: Contact your AMD Customer Engineering representative
Create a notification for this product.
AMD AMD Radeon™ PRO V620 Unknown: Contact your AMD Customer Engineering representative
Create a notification for this product.
AMD AMD Radeon™ PRO V710 Unknown: Contact your AMD Customer Engineering representative
Create a notification for this product.
AMD AMD Ryzen™ Embedded R1000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
AMD AMD Ryzen™ Embedded R2000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
AMD AMD Ryzen™ Embedded 7000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
AMD AMD Ryzen™ Embedded V1000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
AMD AMD Ryzen™ Embedded V2000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
AMD AMD Ryzen™ Embedded V3000 Unaffected: 24.10.21.01
Unaffected: 23.19.16
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21971",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T15:32:03.493834Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T15:32:39.200Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (24.10.20)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "affected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7030 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7045 Series Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 5000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO W5000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 RX 7000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO W7000 Series Graphics Products",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (24.10.29.01)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 VII",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (23.19.16)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Radeon\u2122 PRO VII",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD Software: Adrenalin Edition 24.7.1 (23.19.16)"
            },
            {
              "status": "unaffected",
              "version": "AMD Software: PRO Edition 24.Q2 (23.19.16.01)"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "AMD Radeon\u2122 Instinct\u2122 MI25",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unknown",
              "version": "Contact your AMD Customer  Engineering representative"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "AMD Radeon\u2122 PRO V520",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unknown",
              "version": "Contact your AMD Customer  Engineering representative"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "AMD Radeon\u2122 PRO V620",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unknown",
              "version": "Contact your AMD Customer  Engineering representative"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "AMD Radeon\u2122 PRO V710",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unknown",
              "version": "Contact your AMD Customer  Engineering representative"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded R1000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded R2000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 7000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V1000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V2000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V3000",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "24.10.21.01"
            },
            {
              "status": "unaffected",
              "version": "23.19.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows\u00ae system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service."
            }
          ],
          "value": "Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows\u00ae system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220 - Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-23T21:26:06.031Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6008.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-21971",
    "datePublished": "2025-02-12T00:01:00.419Z",
    "dateReserved": "2024-01-03T16:43:28.699Z",
    "dateUpdated": "2025-09-23T21:26:06.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-21962 (GCVE-0-2024-21962)

Vulnerability from cvelistv5 – Published: 2026-05-15 01:59 – Updated: 2026-05-16 03:56
VLAI
Summary
Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
AMD
Impacted products
Vendor Product Version
AMD AMD EPYC™ 4005 Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD EPYC™ 4004 Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ PRO 3000 WX-Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ 7000 WX-Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 9000HX Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ PRO 5000 WX-Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Desktop Processors Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processors Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ Z2 Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ AI 300 Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 7045 Series Mobile Processors with Radeon™ Graphics Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ AI Max 300 Series Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ 9000 Series Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 2000 Mobile Processors Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Desktop Processors Unaffected: No fix planned
Create a notification for this product.
AMD AMD Ryzen™ 7000 Series Desktop Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 8000 Series Desktop Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD Ryzen™ 9000 Series Desktop Processors Unaffected: AMD RAID Software: 9.3.3.245
Create a notification for this product.
AMD AMD EPYC™ Embedded 4005 Series Processors Unaffected: Embedded EPYC_4005 Windows RAID Driver - 9.3.3.00245 - (71794)
Create a notification for this product.
Date Public
2026-05-15 01:58
Credits
Reported through AMD Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-15T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T03:56:05.116Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 4005 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 4004 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 7000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 9000HX Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Z2 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 AI 300 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7045 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 AI Max 300 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 9000 Series",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 2000 Mobile Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "No fix planned"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 9000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "AMD RAID Software: 9.3.3.245"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 4005 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Embedded EPYC_4005 Windows RAID Driver - 9.3.3.00245 - (71794)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Reported through AMD Bug Bounty Program"
        }
      ],
      "datePublic": "2026-05-15T01:58:27.469Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.\u003cbr\u003e"
            }
          ],
          "value": "Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220  Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T01:59:01.793Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4016.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "AMD PSIRT Automation 1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-21962",
    "datePublished": "2026-05-15T01:59:01.793Z",
    "dateReserved": "2024-01-03T16:43:28.698Z",
    "dateUpdated": "2026-05-16T03:56:05.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-21947 (GCVE-0-2024-21947)

Vulnerability from cvelistv5 – Published: 2025-09-06 17:10 – Updated: 2026-02-26 17:49
VLAI
Summary
Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
AMD
Impacted products
Vendor Product Version
AMD AMD Ryzen™ Threadripper™ 3000 Processors Unaffected: CastlePeakPI-SP3r3 1.0.0.C
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ PRO 5000 WX-Series Processors Unaffected: ChagallWSPI-sWRX8-1.0.0.7
Create a notification for this product.
AMD AMD Ryzen™ 7030 Series Mobile Processors with Radeon™ Graphics Unaffected: CezannePI-FP6_1.0.1.0
Create a notification for this product.
AMD AMD Ryzen™ Threadripper™ PRO 3000 WX-Series Processors Unaffected: CastlePeakWSPI-sWRX8 1.0.0.E
Unaffected: ChagallWSPI-sWRX8-1.0.0.7
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Desktop Processors Unaffected: ComboAM4 1.0.0.B
Unaffected: ComboAM4v2PI_1.2.0.CA
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics Unaffected: Picasso-FP5 1.0.1.1
Create a notification for this product.
AMD AMD Ryzen™ 3000 Series Mobile Processors with Radeon™ Graphics Unaffected: Picasso-FP5 1.0.1.1
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processors Unaffected: ComboAM4v2PI_1.2.0.CA
Create a notification for this product.
AMD AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics Unaffected: ComboAM4 1.0.0.B
Create a notification for this product.
AMD AMD Ryzen™ 8000 Series Desktop Processors Unaffected: ComboAM5 1.2.0.0
Create a notification for this product.
AMD AMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics Unaffected: PhoenixPI-FP8-FP7_1.1.0.2
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics Unaffected: Renoir-FP6 1.0.0.D
Create a notification for this product.
AMD AMD Ryzen™ 6000 Series Processors with Radeon™ Graphics Unaffected: Rembrandt-FP7 1.0.0.A
Create a notification for this product.
AMD AMD Ryzen™ 7000 Series Desktop Processors Unaffected: ComboAM5 1.2.0.0
Create a notification for this product.
AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics Unaffected: MendocinoPI-FT6_1.0.0.6
Create a notification for this product.
AMD AMD Ryzen™ 7045 Series Mobile Processors with Radeon™ Graphics Unaffected: DragonRangeFL1 1.0.0.3d
Create a notification for this product.
AMD AMD Ryzen™ 7035 Series Processors with Radeon™ Graphics Unaffected: Rembrandt-FP7 1.0.0.A
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics Unaffected: CezannePI-FP6_1.0.1.0
Create a notification for this product.
AMD AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics Unaffected: ComboAM4v2PI_1.2.0.CA
Create a notification for this product.
AMD AMD Ryzen™ 4000 Series Desktop Processors Unaffected: ComboAM4v2PI_1.2.0.CA
Create a notification for this product.
AMD AMD Ryzen™ Embedded R1000 Series Processors Unaffected: EmbeddedPI-FP5 120C
Create a notification for this product.
AMD AMD Ryzen™ Embedded R2000 Series Processors Unaffected: EmbeddedR2KPI-FP5_1003
Create a notification for this product.
AMD AMD Ryzen™ Embedded 5000 Series Processors Unaffected: EmbAM4PI 1.0.0.5
Create a notification for this product.
AMD AMD Ryzen™ Embedded V1000 Series Processors Unaffected: EmbeddedPI-FP5 120C
Create a notification for this product.
AMD AMD Ryzen™ Embedded V2000 Series Processors Unaffected: EmbeddedPI-FP6_1.0.0.A
Create a notification for this product.
AMD AMD Ryzen™ Embedded V3000 Series Processors Unaffected: Embedded-PI_FP7r2 1009
Create a notification for this product.
Date Public
2025-09-06 16:50
Credits
Reported through AMD Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21947",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T03:55:22.910224Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:49:10.599Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 3000 Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CastlePeakPI-SP3r3 1.0.0.C"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ChagallWSPI-sWRX8-1.0.0.7"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7030 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CezannePI-FP6_1.0.1.0"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 3000 WX-Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CastlePeakWSPI-sWRX8 1.0.0.E"
            },
            {
              "status": "unaffected",
              "version": "ChagallWSPI-sWRX8-1.0.0.7"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4 1.0.0.B"
            },
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI_1.2.0.CA"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Picasso-FP5 1.0.1.1"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Picasso-FP5 1.0.1.1"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI_1.2.0.CA"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4 1.0.0.B"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 8000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM5 1.2.0.0"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7040 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "PhoenixPI-FP8-FP7_1.1.0.2"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Renoir-FP6 1.0.0.D"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 6000 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Rembrandt-FP7 1.0.0.A"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM5 1.2.0.0"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "MendocinoPI-FT6_1.0.0.6"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7045 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "DragonRangeFL1 1.0.0.3d"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 7035 Series Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Rembrandt-FP7 1.0.0.A"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "CezannePI-FP6_1.0.1.0"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 5000 Series Desktop Processors with Radeon\u2122 Graphics",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI_1.2.0.CA"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 4000 Series Desktop Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "ComboAM4v2PI_1.2.0.CA"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded R1000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbeddedPI-FP5 120C"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded R2000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbeddedR2KPI-FP5_1003"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded 5000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbAM4PI 1.0.0.5"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V1000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbeddedPI-FP5 120C"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V2000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbeddedPI-FP6_1.0.0.A"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD Ryzen\u2122 Embedded V3000 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "Embedded-PI_FP7r2 1009"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Reported through AMD Bug Bounty Program"
        }
      ],
      "datePublic": "2025-09-06T16:50:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level.\u003cbr\u003e"
            }
          ],
          "value": "Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220 Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-23T21:24:22.687Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html"
        },
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "AMD PSIRT Automation 1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2024-21947",
    "datePublished": "2025-09-06T17:10:47.951Z",
    "dateReserved": "2024-01-03T16:43:21.322Z",
    "dateUpdated": "2026-02-26T17:49:10.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-13272 (GCVE-0-2024-13272)

Vulnerability from cvelistv5 – Published: 2025-01-09 19:20 – Updated: 2025-01-14 17:06
VLAI
Title
Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
Summary
Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
Vendor Product Version
Drupal Paragraphs table Affected: 0.0.0 , < 1.23.0 (semver)
Affected: 2.0.0 , < 2.0.2 (semver)
Create a notification for this product.
Date Public
2024-09-04 15:42
Credits
James Williams James Williams NGUYEN Bao Steven Jones Joseph Olstad Greg Knaddison Jess Juraj Nemec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-13272",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T17:05:37.422960Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T17:06:04.073Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/paragraphs_table",
          "defaultStatus": "unaffected",
          "product": "Paragraphs table",
          "repo": "https://git.drupalcode.org/project/paragraphs_table",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.23.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.0.2",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "James Williams"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "James Williams"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "NGUYEN Bao"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Steven Jones"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joseph Olstad"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec"
        }
      ],
      "datePublic": "2024-09-04T15:42:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.\u003cp\u003eThis issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-148",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-148 Content Spoofing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220 Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T19:20:41.907Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2024-036"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2024-13272",
    "datePublished": "2025-01-09T19:20:41.907Z",
    "dateReserved": "2025-01-09T18:28:07.546Z",
    "dateUpdated": "2025-01-14T17:06:04.073Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-13256 (GCVE-0-2024-13256)

Vulnerability from cvelistv5 – Published: 2025-01-09 19:03 – Updated: 2025-01-10 17:00
VLAI
Title
Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
Summary
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
Vendor Product Version
Drupal Email Contact Affected: 0.0.0 , < 2.0.4 (semver)
Create a notification for this product.
Date Public
2024-05-22 16:03
Credits
Claudiu Cristea Claudiu Cristea Bálint Nagy Greg Knaddison Juraj Nemec xjm Greg Knaddison xjm Juraj Nemec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-13256",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-10T16:59:37.422670Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-10T17:00:06.490Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/email_contact",
          "defaultStatus": "unaffected",
          "product": "Email Contact",
          "repo": "https://git.drupalcode.org/project/email_contact",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "2.0.4",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Claudiu Cristea"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Claudiu Cristea"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "B\u00e1lint Nagy"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Greg Knaddison"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Juraj Nemec"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "xjm"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "xjm"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec"
        }
      ],
      "datePublic": "2024-05-22T16:03:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.\u003cp\u003eThis issue affects Email Contact: from 0.0.0 before 2.0.4.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-87",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-87 Forceful Browsing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220 Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T19:03:47.618Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2024-020"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2024-13256",
    "datePublished": "2025-01-09T19:03:47.618Z",
    "dateReserved": "2025-01-09T18:27:18.287Z",
    "dateUpdated": "2025-01-10T17:00:06.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-12619 (GCVE-0-2024-12619)

Vulnerability from cvelistv5 – Published: 2025-03-28 10:02 – Updated: 2025-03-28 13:46
VLAI
Title
Insufficient Granularity of Access Control in GitLab
Summary
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/509324 issue-trackingpermissions-required
https://hackerone.com/reports/2888260 technical-descriptionexploitpermissions-required
Impacted products
Vendor Product Version
GitLab GitLab Affected: 16.0 , < 17.8.6 (semver)
Affected: 17.9 , < 17.9.3 (semver)
Affected: 17.10 , < 17.10.1 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [aituglo](https://hackerone.com/aituglo) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12619",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T13:46:02.996419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T13:46:51.887Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "17.8.6",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.9.3",
              "status": "affected",
              "version": "17.9",
              "versionType": "semver"
            },
            {
              "lessThan": "17.10.1",
              "status": "affected",
              "version": "17.10",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [aituglo](https://hackerone.com/aituglo) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-28T10:02:13.406Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #509324",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/509324"
        },
        {
          "name": "HackerOne Bug Bounty Report #2888260",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/2888260"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 17.8.6, 17.9.3, 17.10.1 or above."
        }
      ],
      "title": "Insufficient Granularity of Access Control in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2024-12619",
    "datePublished": "2025-03-28T10:02:13.406Z",
    "dateReserved": "2024-12-13T14:30:47.059Z",
    "dateUpdated": "2025-03-28T13:46:51.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-11931 (GCVE-0-2024-11931)

Vulnerability from cvelistv5 – Published: 2025-01-24 03:02 – Updated: 2025-02-05 20:14
VLAI
Title
Insufficient Granularity of Access Control in GitLab
Summary
An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
Impacted products
Vendor Product Version
GitLab GitLab Affected: 17.0 , < 17.6.4 (semver)
Affected: 17.7 , < 17.7.3 (semver)
Affected: 17.8 , < 17.8.1 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
This vulnerability has been discovered internally by GitLab team member [Greg Myers](https://gitlab.com/greg/).
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11931",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T14:59:16.564153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T20:14:21.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "release-notes"
            ],
            "url": "https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "17.6.4",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.7.3",
              "status": "affected",
              "version": "17.7",
              "versionType": "semver"
            },
            {
              "lessThan": "17.8.1",
              "status": "affected",
              "version": "17.8",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability has been discovered internally by GitLab team member [Greg Myers](https://gitlab.com/greg/)."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1220",
              "description": "CWE-1220: Insufficient Granularity of Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-24T03:02:16.074Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #480901",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/480901"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 17.6.4, 17.7.3, 17.8.1 or above."
        }
      ],
      "title": "Insufficient Granularity of Access Control in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2024-11931",
    "datePublished": "2025-01-24T03:02:16.074Z",
    "dateReserved": "2024-11-27T20:02:05.948Z",
    "dateUpdated": "2025-02-05T20:14:21.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design Implementation Testing
  • Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
  • Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.