CVE-2024-55954
Published: 16 January 2025
Description
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Security Summary
CVE-2024-55954 is a privilege escalation vulnerability in OpenObserve, a cloud-native observability platform. The issue resides in the user management endpoint `/api/{org_id}/users/{email_id}`, specifically the `DELETE` operation handled by the `remove_user_from_org` function in `src/service/users.rs`. Due to insufficient role checks, an "Admin" role user can remove a "Root" user from the organization, violating the intended privilege hierarchy where Root users hold the highest privileges.
An authenticated attacker with an "Admin" role can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected endpoint, the attacker can delete critical "Root" users, potentially achieving effective full control of the organization by eliminating the highest-privileged accounts needed for oversight and recovery.
The OpenObserve security advisory (GHSA-m8gj-6r85-3r6m) confirms the issue has been addressed in release version 0.14.1, and all users are advised to upgrade immediately. No workarounds are available.
Details
- CWE(s)