CVE-2024-55954
Published: 16 January 2025
Summary
CVE-2024-55954 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved role-based authorizations to prevent admins from deleting higher-privileged root users via the user management endpoint.
Ensures least privilege by restricting admin roles from performing actions like removing root users, upholding privilege hierarchy.
Manages account lifecycle including restrictions and automation on user removal to mitigate unauthorized deletions of critical root accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via insufficient authorization checks on user deletion endpoint, allowing lower-privileged Admin to remove Root accounts.
NVD Description
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the…
more
highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2024-55954 is a privilege escalation vulnerability in OpenObserve, a cloud-native observability platform. The issue resides in the user management endpoint `/api/{org_id}/users/{email_id}`, specifically the `DELETE` operation handled by the `remove_user_from_org` function in `src/service/users.rs`. Due to insufficient role checks, an "Admin" role user can remove a "Root" user from the organization, violating the intended privilege hierarchy where Root users hold the highest privileges.
An authenticated attacker with an "Admin" role can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected endpoint, the attacker can delete critical "Root" users, potentially achieving effective full control of the organization by eliminating the highest-privileged accounts needed for oversight and recovery.
The OpenObserve security advisory (GHSA-m8gj-6r85-3r6m) confirms the issue has been addressed in release version 0.14.1, and all users are advised to upgrade immediately. No workarounds are available.
Details
- CWE(s)