CVE-2024-24830
📋 TL;DR
This vulnerability allows any authenticated regular user in OpenObserve to create new users with administrative 'root' privileges, bypassing intended role-based access controls. It leads to unauthorized privilege escalation and compromises the entire access control system. All users of affected versions are impacted, particularly administrators.
💻 Affected Systems
- OpenObserve
📦 What is this software?
Openobserve by Openobserve
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the OpenObserve instance, allowing them to access, modify, or delete all logs, metrics, traces, and analytics data, potentially compromising entire observability infrastructure.
Likely Case
Malicious or compromised regular users escalate their privileges to root level, gaining unauthorized access to sensitive observability data and administrative functions.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the OpenObserve instance itself, though data confidentiality and integrity remain compromised.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via API manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.0
Vendor Advisory: https://github.com/openobserve/openobserve/security/advisories/GHSA-hfxx-g56f-8h5v
Restart Required: Yes
Instructions:
1. Backup your OpenObserve configuration and data. 2. Stop the OpenObserve service. 3. Upgrade to version 0.8.0 or later. 4. Restart the service. 5. Verify the upgrade was successful.
🧯 If You Can't Patch
- Restrict network access to OpenObserve API endpoints to only trusted administrative users.
- Implement API gateway or WAF rules to block requests to /api/{org_id}/users endpoint from non-admin users.
🔍 How to Verify
Check if Vulnerable:
Check if your OpenObserve version is below 0.8.0 by accessing the web interface or checking the running container/process version.Check Version:
curl -s http://localhost:5080/api/system/version | grep versionVerify Fix Applied:
After upgrading to 0.8.0 or later, verify that regular users cannot create users with root privileges via the /api/{org_id}/users endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation events from non-admin accounts
- API requests to /api/{org_id}/users with role parameters containing 'root' or elevated privileges
Network Indicators:
- POST requests to /api/{org_id}/users endpoint from non-admin user accounts
SIEM Query:
source="openobserve" AND (path="/api/*/users" AND method="POST") AND user_role!="admin" AND user_role!="root"