CVE-2024-25106
Published: 08 February 2024
Summary
CVE-2024-25106 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Openobserve Openobserve. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22468
Vulnerability details
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any…
more
other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows any authenticated user to remove other users, including Admin and Root roles, from the organization without authorization checks, directly enabling T1531 Account Access Removal.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Enforces the least privilege principle to avoid violations of minimal necessary access.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
Review helps detect improper privilege management by flagging unauthorized privilege changes or uses.
Recovery to a known state reverts unauthorized changes to access control mechanisms after compromise.