Description

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2025-01-16T19:30:39.218Z

Last Modified :

2025-02-12T20:31:21.093Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-55954 vulnerability.

Vendors Products
Openobserve
  • Openobserve
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-55954.

URL Resource
https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631 cve-icon cve-icon
https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact