Plattform
go
Komponente
openobserve
Behoben in
0.14.2
CVE-2024-55954 describes a privilege escalation vulnerability in OpenObserve, a cloud-native observability platform. This flaw allows a user with the "Admin" role to remove a "Root" user from an organization, effectively bypassing intended access controls. The vulnerability impacts versions of OpenObserve up to and including 0.14.0, and a fix is available in version 0.14.1.
The impact of CVE-2024-55954 is significant. An attacker who has gained "Admin" privileges within an OpenObserve organization can exploit this vulnerability to remove the "Root" user, which holds the highest level of access. By eliminating the Root user, the attacker can effectively gain full control over the organization's OpenObserve instance, potentially leading to data breaches, unauthorized modifications, and disruption of observability services. This vulnerability presents a serious risk to organizations relying on OpenObserve for monitoring and troubleshooting.
CVE-2024-55954 was publicly disclosed on January 16, 2025. Currently, there are no publicly available proof-of-concept exploits. The vulnerability's severity (CVSS 8.7) and the potential for complete control over the OpenObserve instance suggest a medium probability of exploitation, particularly if the platform is widely deployed and Admin accounts lack robust security practices. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on OpenObserve for observability and monitoring are at significant risk. Specifically, deployments with poorly configured role-based access controls, where Admin accounts have excessive privileges, are particularly vulnerable. Shared hosting environments utilizing OpenObserve also face increased risk due to potential cross-tenant access issues.
• linux / server: Monitor OpenObserve API logs for requests to /api/{orgid}/users/{emailid} with the removeuserfrom_org function originating from users with the 'Admin' role. Look for unusual patterns or unexpected user removals.
journalctl -u openobserve -f | grep 'remove_user_from_org'• generic web: Use curl to test the API endpoint /api/{orgid}/users/{emailid} with an Admin user's credentials to see if a Root user can be removed.
curl -X DELETE -H "Authorization: Bearer <admin_token>" https://<openobserve_url>/api/<org_id>/users/<root_email>disclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-55954 is to upgrade OpenObserve to version 0.14.1 or later, which includes the necessary privilege check fixes. If immediate upgrading is not possible, consider implementing stricter role-based access controls within OpenObserve to limit the potential impact of a compromised Admin account. Review existing user permissions and ensure that the principle of least privilege is enforced. While a direct WAF rule is unlikely to be effective, monitoring for unusual user removal activity within the OpenObserve API logs can provide early warning signs of exploitation.
Actualice OpenObserve a la versión 0.14.1 o superior. Esta versión corrige la vulnerabilidad que permite a los usuarios con rol de 'Admin' eliminar usuarios 'Root'. La actualización previene la escalada de privilegios y el control total no autorizado del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-55954 is a vulnerability in OpenObserve versions ≤0.14.0 that allows an Admin user to remove a Root user, bypassing privilege checks and potentially gaining full control.
You are affected if you are running OpenObserve versions 0.14.0 or earlier. Assess your deployment and upgrade as soon as possible.
Upgrade OpenObserve to version 0.14.1 or later to remediate the vulnerability. Review and strengthen your role-based access controls.
Currently, there are no publicly known active exploits for CVE-2024-55954, but the vulnerability's severity warrants proactive mitigation.
Refer to the OpenObserve security advisory for detailed information and mitigation guidance: [https://github.com/openobserve/openobserve/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory link when available)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.