CVE-2024-24830

Exploit

EPSS 0.12%
Veröffentlicht 08.02.2024 23:15:10
Zuletzt bearbeitet 27.08.2025 16:15:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 5 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openobserve ≫ Openobserve Version < 0.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.318

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-272 Least Privilege Violation

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-24830

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24830

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24830

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-24830