CVE-2024-9858

There exists an insecure default user permission in Google Cloud Migrate to containers from version 1.1.0 to 1.2.2 Windows installs. A local "m2cuser" was greated with administrator privileges. This posed a security risk if the "analyze" or "generate" commands were interrupted or skipping the action to delete the local user “m2cuser”. We recommend upgrading to 1.2.3 or beyond

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:migrate_to_containers:*:*:*:*:*:*:*:*

History

30 Jul 2025, 19:32

Type	Values Removed	Values Added
CPE		cpe:2.3:a:google:migrate_to_containers::::::::
First Time		Google Google migrate To Containers
References	~~() https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024 -~~	() https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024 - Vendor Advisory

16 Oct 2024, 17:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

16 Oct 2024, 16:38

Type	Values Removed	Values Added
Summary		(es) Existe un permiso de usuario predeterminado inseguro en las instalaciones de Google Cloud Migrate to Containers desde la versión 1.1.0 a la 1.2.2 de Windows. Se otorgaron privilegios de administrador a un "m2cuser" local. Esto representaba un riesgo de seguridad si se interrumpían los comandos "analyze" o "generate" o se omitía la acción de eliminar el usuario local "m2cuser". Recomendamos actualizar a la versión 1.2.3 o posterior.

16 Oct 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-16 09:15

Updated : 2025-07-30 19:32

NVD link : CVE-2024-9858

Mitre link : CVE-2024-9858

CVE.ORG link : CVE-2024-9858

JSON object : View

Products Affected

google

migrate_to_containers

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2024-9858", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.9, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:D/RE:L/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-10-16T09:15:03.550", "references": [{"url": "https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024", "tags": ["Vendor Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "There exists an insecure default user permission in Google Cloud Migrate to containers from version 1.1.0 to 1.2.2 Windows installs. A local \"m2cuser\" was greated with\u00a0administrator privileges. This posed a security risk if the \"analyze\" or \"generate\" commands were interrupted or skipping the action to delete the local user \u201cm2cuser\u201d. We recommend upgrading to\u00a01.2.3 or beyond"}, {"lang": "es", "value": "Existe un permiso de usuario predeterminado inseguro en las instalaciones de Google Cloud Migrate to Containers desde la versi\u00f3n 1.1.0 a la 1.2.2 de Windows. Se otorgaron privilegios de administrador a un \"m2cuser\" local. Esto representaba un riesgo de seguridad si se interrump\u00edan los comandos \"analyze\" o \"generate\" o se omit\u00eda la acci\u00f3n de eliminar el usuario local \"m2cuser\". Recomendamos actualizar a la versi\u00f3n 1.2.3 o posterior."}], "lastModified": "2025-07-30T19:32:10.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:migrate_to_containers:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59E1CC0F-79D1-4C58-BDBB-77FB8E057C6F", "versionEndExcluding": "1.2.3", "versionStartIncluding": "1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}