CVE-2024-30896
📋 TL;DR
InfluxDB OSS 2.x through 2.7.11 stores administrative operator tokens under the default organization, allowing users with read access to authorization resources in that organization to retrieve sensitive tokens. This affects only InfluxDB OSS 2.x installations, not 1.x, Enterprise, Cloud, or Clustered versions. The vulnerability enables privilege escalation by exposing administrative credentials to users with limited permissions.
💻 Affected Systems
- InfluxDB OSS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with read access to default organization authorization resources can obtain operator tokens, leading to full administrative control over the InfluxDB instance, data exfiltration, data manipulation, and potential lateral movement.
Likely Case
Authorized users with read permissions in the default organization can escalate privileges to administrative level, gaining unauthorized access to sensitive data and system configuration.
If Mitigated
With proper access controls limiting users to non-default organizations, the impact is minimal as tokens remain inaccessible to unauthorized users.
🎯 Exploit Status
Exploitation requires existing user credentials with read access to authorization resources in the default organization. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.0
Vendor Advisory: https://github.com/influxdata/influxdb/releases/tag/v2.8.0
Restart Required: Yes
Instructions:
1. Backup your InfluxDB data and configuration. 2. Download InfluxDB 2.8.0 from official repository. 3. Stop the InfluxDB service. 4. Install/upgrade to version 2.8.0. 5. Restart the InfluxDB service. 6. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Default Organization Access
allMove all non-administrative users to non-default organizations and restrict access to default organization authorization resources.
influx org members list --org-id <default-org-id>
influx org members remove --member <user-id> --org-id <default-org-id>
influx org members add --member <user-id> --org-id <non-default-org-id>
🧯 If You Can't Patch
- Implement strict access controls ensuring only administrators have access to default organization resources
- Monitor and audit all token retrieval attempts and authorization resource access patterns
🔍 How to Verify
Check if Vulnerable:
Check InfluxDB version: if running 2.x and version is 2.7.11 or earlier, system is vulnerable. Verify if users with read-only permissions in default organization can access authorization resources.Check Version:
influx versionVerify Fix Applied:
After upgrading to 2.8.0, verify version is 2.8.0 or higher and test that users without administrative privileges cannot retrieve operator tokens via API calls.📡 Detection & Monitoring
Log Indicators:
- Unusual token retrieval patterns
- Multiple failed authorization attempts followed by successful token access
- Users with limited permissions accessing administrative endpoints
Network Indicators:
- API calls to /api/v2/authorizations endpoint from non-admin users
- Increased traffic to token-related endpoints
SIEM Query:
source="influxdb" AND (uri_path="/api/v2/authorizations" OR message="token retrieval") AND user_role!="admin"