Cyber Resilience

CVE-2024-30896

Critical

Published: 21 November 2024

Published
21 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3191 96.9th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30896 is a critical-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

InfluxDB OSS 2.x through version 2.7.11 stores the administrative operator token under the default organization. This design allows any authorized user who possesses read access to the authorization resource of that default organization to retrieve the token. The issue does not affect InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated, or Clustered deployments.

An attacker with the described read permission on the default organization can obtain the operator token and thereby gain full administrative control over the InfluxDB instance. The researcher additionally notes that allAccess administrators can list all raw tokens using the “influx auth ls” command, amplifying the exposure when such accounts exist.

InfluxData states that the organizations feature behaves as intended and recommends placing users in non-default organizations to limit exposure. Version 2.8.0 removes the ability to retrieve tokens via the API, closing the reported vector. Public references include the vendor’s GitHub issue tracker, the 2.8.0 release notes, and a proof-of-concept repository describing the original finding. The associated EPSS score has remained in the 0.32–0.35 range without a pronounced post-disclosure climb.

EU & UK References

Vulnerability details

InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud…

more

Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-922

Tracking information locations and access supports secure storage practices instead of insecure ones.

addresses: CWE-922

Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information.

addresses: CWE-922

Requiring protection of backup information directly addresses insecure storage of sensitive data in backups.

addresses: CWE-922

Policy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections.

addresses: CWE-922

Proper categorization drives selection of storage controls that keep sensitive information from being stored insecurely.

addresses: CWE-922

The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class.

addresses: CWE-922

Storing information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set.

addresses: CWE-922

OPSEC requirements improve handling and storage practices for sensitive supply-chain information.

References