CVE-2024-41809 – OpenObserve versions 0.4.4 through 0.9.x contai... (How to Fix)

Q: What is the severity of CVE-2024-41809?

CVE-2024-41809 has a CVSS score of 7.2 (HIGH). OpenObserve versions 0.4.4 through 0.9.x contain a cross-site scripting (XSS) vulnerability in the MemberSubscription.vue component. This allows attackers to inject malicious scripts that execute in users' browsers when viewing the affected page. Organizations running vulnerable OpenObserve instances are affected.

📋 TL;DR

OpenObserve versions 0.4.4 through 0.9.x contain a cross-site scripting (XSS) vulnerability in the MemberSubscription.vue component. This allows attackers to inject malicious scripts that execute in users' browsers when viewing the affected page. Organizations running vulnerable OpenObserve instances are affected.

💻 Affected Systems

Products:

OpenObserve

Versions: 0.4.4 through 0.9.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects web interface; observability data collection and storage components are not directly impacted.

📦 What is this software?

Openobserve by Openobserve

View all CVEs affecting Openobserve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the OpenObserve interface.

🟢

If Mitigated

Limited impact with proper content security policies and user awareness training.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with the vulnerable MemberSubscription page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.0

Vendor Advisory: https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp

Restart Required: Yes

Instructions:

1. Backup your OpenObserve configuration and data. 2. Stop the OpenObserve service. 3. Upgrade to version 0.10.0 or later. 4. Restart the service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

Restrict Access to MemberSubscription Page

all

Use web application firewall or access controls to limit who can access the vulnerable endpoint

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user inputs
Deploy a web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check OpenObserve version via web interface or configuration files. Versions 0.4.4 through 0.9.x are vulnerable.

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

Verify version is 0.10.0 or later and test MemberSubscription page with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to MemberSubscription endpoint with script tags or JavaScript payloads
Multiple failed login attempts followed by MemberSubscription access

Network Indicators:

HTTP requests containing script tags or JavaScript in MemberSubscription parameters

SIEM Query:

source="openobserve" AND (uri="*MemberSubscription*" AND (content="<script>" OR content="javascript:"))

📊 Metadata

CVE ID: CVE-2024-41809

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 25, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41809, you might also want to check these: