Vulnerabilites related to openobserve - openobserve
CVE-2024-41808 (GCVE-0-2024-41808)
Vulnerability from cvelistv5
Published
2024-07-25 20:10
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim's account provided they meet the exploitation steps. As of time of publication, no patched version is available.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openobserve | openobserve |
Version: <= 0.9.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"lessThanOrEqual": "0.9.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41808",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:59:35.577599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T14:00:19.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim\u0027s account provided they meet the exploitation steps. As of time of publication, no patched version is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T20:10:04.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j"
}
],
"source": {
"advisory": "GHSA-hx23-g7m8-h76j",
"discovery": "UNKNOWN"
},
"title": "OpenObserve stored XSS vulnerability may lead to complete account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41808",
"datePublished": "2024-07-25T20:10:04.248Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25106 (GCVE-0-2024-25106)
Vulnerability from cvelistv5
Published
2024-02-08 23:05
Modified
2024-08-01 23:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openobserve | openobserve |
Version: < 0.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-12T19:33:22.090329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:52.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the \"/api/{org_id}/users/{email_id}\" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with \"Admin\" and \"Root\" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including \"Admins\" and \"Root\" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by \"Admins\" or \"Root\" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272: Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T23:05:46.143Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7"
}
],
"source": {
"advisory": "GHSA-3m5f-9m66-xgp7",
"discovery": "UNKNOWN"
},
"title": "OpenObserve Unauthorized Access Vulnerability in Users API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25106",
"datePublished": "2024-02-08T23:05:46.143Z",
"dateReserved": "2024-02-05T14:14:46.378Z",
"dateUpdated": "2024-08-01T23:36:21.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24830 (GCVE-0-2024-24830)
Vulnerability from cvelistv5
Published
2024-02-08 23:09
Modified
2025-05-08 18:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openobserve | openobserve |
Version: < 0.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24830",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:41:08.107880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:41:29.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the \"/api/{org_id}/users\" endpoint. This vulnerability allows any authenticated regular user (\u0027member\u0027) to add new users with elevated privileges, including the \u0027root\u0027 role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application\u0027s role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272: Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T23:09:16.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v"
}
],
"source": {
"advisory": "GHSA-hfxx-g56f-8h5v",
"discovery": "UNKNOWN"
},
"title": "OpenObserve Privilege Escalation Vulnerability in Users API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24830",
"datePublished": "2024-02-08T23:09:16.222Z",
"dateReserved": "2024-01-31T16:28:17.947Z",
"dateUpdated": "2025-05-08T18:41:29.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55954 (GCVE-0-2024-55954)
Vulnerability from cvelistv5
Published
2025-01-16 19:30
Modified
2025-02-12 20:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openobserve | openobserve |
Version: < 0.14.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55954",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T19:48:06.639039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:31:21.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an \"Admin\" role user to remove a \"Root\" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an \"Admin\" user from removing a \"Root\" user. As a result, an attacker with an \"Admin\" role can remove critical \"Root\" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272: Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T19:30:39.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m"
},
{
"name": "https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631"
}
],
"source": {
"advisory": "GHSA-m8gj-6r85-3r6m",
"discovery": "UNKNOWN"
},
"title": "OpenObserve Improper Authorization Allows Admin User to Remove Root User"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55954",
"datePublished": "2025-01-16T19:30:39.218Z",
"dateReserved": "2024-12-13T17:47:38.371Z",
"dateUpdated": "2025-02-12T20:31:21.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41809 (GCVE-0-2024-41809)
Vulnerability from cvelistv5
Published
2024-07-25 20:22
Modified
2024-08-12 20:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openobserve | openobserve |
Version: >= 0.4.4, < 0.10.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"lessThan": "0.10.0",
"status": "affected",
"version": "0.4.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T13:56:47.563924Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T20:57:41.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp"
},
{
"name": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02"
},
{
"name": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d"
},
{
"name": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openobserve",
"vendor": "openobserve",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.4, \u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T20:22:14.726Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp"
},
{
"name": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02"
},
{
"name": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d"
},
{
"name": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32"
}
],
"source": {
"advisory": "GHSA-rw8w-37p9-mrrp",
"discovery": "UNKNOWN"
},
"title": "OpenObserve Cross-site Scripting (XSS) vulnerability in `openobserve/web/src/views/MemberSubscription.vue`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41809",
"datePublished": "2024-07-25T20:22:14.726Z",
"dateReserved": "2024-07-22T13:57:37.136Z",
"dateUpdated": "2024-08-12T20:57:41.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-02-08 23:15
Modified
2024-11-21 09:00
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openobserve | openobserve | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7A734A-45D6-47B6-942F-227F74B65B0D",
"versionEndExcluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the \"/api/{org_id}/users/{email_id}\" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with \"Admin\" and \"Root\" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including \"Admins\" and \"Root\" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by \"Admins\" or \"Root\" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade."
},
{
"lang": "es",
"value": "OpenObserve es una plataforma de observabilidad creada espec\u00edficamente para registros, m\u00e9tricas, seguimientos y an\u00e1lisis, manipulada para funcionar a escala de petabytes. Se ha identificado una vulnerabilidad cr\u00edtica en el endpoint \"/api/{org_id}/users/{email_id}\". Esta vulnerabilidad permite que cualquier usuario autenticado dentro de una organizaci\u00f3n elimine a cualquier otro usuario de esa misma organizaci\u00f3n, independientemente de sus respectivas funciones. Esto incluye la capacidad de eliminar usuarios con roles de \"Administrador\" y \"Root\". Al permitir que cualquier miembro de la organizaci\u00f3n altere unilateralmente la base de usuarios, se abre la puerta al acceso no autorizado y puede causar interrupciones considerables en las operaciones. El n\u00facleo de la vulnerabilidad radica en la funci\u00f3n `remove_user_from_org` en el sistema de gesti\u00f3n de usuarios. Esta funci\u00f3n est\u00e1 manipulada para permitir a los usuarios de la organizaci\u00f3n eliminar miembros de su organizaci\u00f3n. La funci\u00f3n no comprueba si el usuario que inicia la solicitud tiene los privilegios administrativos adecuados para eliminar un usuario. Cualquier usuario que forme parte de la organizaci\u00f3n, independientemente de su rol, puede eliminar a cualquier otro usuario, incluidos aquellos con mayores privilegios. Esta vulnerabilidad se clasifica como un problema de autorizaci\u00f3n que conduce a la eliminaci\u00f3n de usuarios no autorizados. El impacto es grave, ya que compromete la integridad de la gesti\u00f3n de usuarios dentro de las organizaciones. Al explotar esta vulnerabilidad, cualquier usuario dentro de una organizaci\u00f3n, sin necesidad de privilegios administrativos, puede eliminar usuarios cr\u00edticos, incluidos los usuarios \"Admins\" y \"Root\". Esto podr\u00eda provocar un acceso no autorizado al sistema, un bloqueo administrativo o interrupciones operativas. Dado que las cuentas de usuario suelen ser creadas por \"Admins\" o usuarios \"Root\", esta vulnerabilidad puede ser explotada por cualquier usuario al que se le haya otorgado acceso a una organizaci\u00f3n, lo que representa un riesgo cr\u00edtico para la seguridad y la estabilidad operativa de la aplicaci\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 0.8.0. Se recomienda a los usuarios que actualicen."
}
],
"id": "CVE-2024-25106",
"lastModified": "2024-11-21T09:00:16.000",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.3,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-08T23:15:10.360",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3m5f-9m66-xgp7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-272"
},
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-285"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-25 21:15
Modified
2024-11-21 09:33
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32 | Product | |
| security-advisories@github.com | https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02 | Patch | |
| security-advisories@github.com | https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d | Patch | |
| security-advisories@github.com | https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openobserve | openobserve | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E05D552-02CC-47A9-A856-80D7A1208BE4",
"versionEndExcluding": "0.10.0",
"versionStartIncluding": "0.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html."
},
{
"lang": "es",
"value": "OpenObserve es una plataforma de observabilidad de c\u00f3digo abierto. A partir de la versi\u00f3n 0.4.4 y anteriores a la versi\u00f3n 0.10.0, OpenObserve contiene una vulnerabilidad de Cross Site Scripting en la l\u00ednea 32 de `openobserve/web/src/views/MemberSubscription.vue`. La versi\u00f3n 0.10.0 sanitiza el HTML entrante."
}
],
"id": "CVE-2024-41809",
"lastModified": "2024-11-21T09:33:07.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T21:15:11.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-25 20:15
Modified
2024-11-21 09:33
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim's account provided they meet the exploitation steps. As of time of publication, no patched version is available.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openobserve | openobserve | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B19834C1-B457-44B3-90C0-141BF51DAEF8",
"versionEndIncluding": "0.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim\u0027s account provided they meet the exploitation steps. As of time of publication, no patched version is available."
},
{
"lang": "es",
"value": "La plataforma de observabilidad de c\u00f3digo abierto OpenObserve brinda la capacidad de filtrar registros en un panel por los valores cargados en un registro determinado. Sin embargo, todas las versiones de la plataforma hasta la 0.9.1 no sanitizan la entrada del usuario en el men\u00fa de selecci\u00f3n de filtros, lo que puede resultar en una apropiaci\u00f3n total de la cuenta. Se ha observado que el front-end utiliza `DOMPurify` o plantillas Vue para escapar ampliamente del cross-site scripting (XSS), sin embargo, ciertas \u00e1reas del front-end carecen de esta protecci\u00f3n XSS. Al combinar la protecci\u00f3n faltante con el manejo de autenticaci\u00f3n inseguro que utiliza el front-end, un usuario malintencionado puede hacerse cargo de la cuenta de cualquier v\u00edctima siempre que cumpla con los pasos de explotaci\u00f3n. Al momento de la publicaci\u00f3n, no hay ninguna versi\u00f3n parcheada disponible."
}
],
"id": "CVE-2024-41808",
"lastModified": "2024-11-21T09:33:06.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-25T20:15:05.153",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hx23-g7m8-h76j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-08 23:15
Modified
2025-05-08 19:15
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openobserve | openobserve | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D7A734A-45D6-47B6-942F-227F74B65B0D",
"versionEndExcluding": "0.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the \"/api/{org_id}/users\" endpoint. This vulnerability allows any authenticated regular user (\u0027member\u0027) to add new users with elevated privileges, including the \u0027root\u0027 role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application\u0027s role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "OpenObserve es una plataforma de observabilidad creada espec\u00edficamente para registros, m\u00e9tricas, seguimientos y an\u00e1lisis, manipulada para funcionar a escala de petabytes. Se ha identificado una vulnerabilidad en el endpoint \"/api/{org_id}/users\". Esta vulnerabilidad permite que cualquier usuario normal autenticado (\"member\") agregue nuevos usuarios con privilegios elevados, incluido el rol \"root\", a una organizaci\u00f3n. Este problema elude los controles de seguridad previstos para las asignaciones de roles. La vulnerabilidad reside en el proceso de creaci\u00f3n de usuarios, donde el payload no valida los roles de los usuarios. Un usuario normal puede manipular el payload para asignar privilegios de nivel ra\u00edz. Esta vulnerabilidad conduce a una escalada de privilegios no autorizada y compromete significativamente el sistema de control de acceso basado en roles de la aplicaci\u00f3n. Permite un control no autorizado sobre los recursos de la aplicaci\u00f3n y supone un riesgo para la seguridad de los datos. Todos los usuarios, en particular aquellos con funciones administrativas, se ven afectados. Este problema se solucion\u00f3 en la versi\u00f3n 0.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-24830",
"lastModified": "2025-05-08T19:15:59.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-08T23:15:10.153",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-272"
},
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-285"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}