CVE-2024-55954

HIGH EPSS 38.3%
Published Jan 16, 20251y ago · Modified Jun 17, 20262w ago
8.7 CVSS 3.1
High
Find Similar
Published Jan 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Details

Base Score
8.7
Exploitability
2.3
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
38.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 5

CWE-269 Improper Privilege Management Authorization
CWE-272
CWE-284
CWE-285
CWE-287 Improper Authentication Authentication

References 2

  • github.com https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631
  • github.com https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.