Authorization Flaw in OpenObserve's User Management Functionality
CVE-2024-25106

6.5MEDIUM

Key Information:

Vendor: OpenObserve
Status: Openobserve
Vendor: CVE Published:; 8 February 2024

🔔 Create OpenObserve Vulnerability Alert

What is CVE-2024-25106?

A significant vulnerability has been identified within the OpenObserve observability platform, specifically in the user management endpoint. This issue permits any authenticated user to remove other users from the organization, regardless of their assigned roles. The vulnerability arises from a flaw in the remove_user_from_org function, which fails to enforce appropriate authorization checks before allowing the removal of users. As a result, even users without administrative privileges can forcibly remove critical accounts, including those with Admin or Root access. This lapse compromises user integrity, enables potential unauthorized access, and may lead to severe operational disruptions. Organizations using affected versions of OpenObserve are urged to upgrade to version 0.8.0 to mitigate this risk.

References

https://github.com/openobserve/openobserve/security/advis...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2024