CVE-2024-55954 Information

Description

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/org_id/users/email_id allows an \Admin\ role user to remove a \Root\ user from the organization. This violates the intended privilege hierarchy enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks the remove_user_from_org function does not prevent an \Admin\ user from removing a \Root\ user. As a result an attacker with an \Admin\ role can remove critical \Root\ users potentially gaining effective full control by eliminating the highest-privileged accounts. The DELETE /api/org_id/users/email_id endpoint is affected. This issue has been addressed in release version 0.14.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Reference

https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631 https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m