CVE-2024-43784
📋 TL;DR
This vulnerability in lakeFS allows privilege inheritance when reusing usernames. When a deleted user's username is reused for a new account, the new user automatically inherits all credentials and permissions from the deleted user. This affects all lakeFS deployments where user accounts have been deleted and usernames are reused.
💻 Affected Systems
- lakeFS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create an account with a previously deleted admin username, gaining full administrative access to the lakeFS instance and all associated object storage data.
Likely Case
Accidental privilege escalation when administrators reuse usernames for new employees or service accounts, potentially granting unintended access to sensitive data.
If Mitigated
With proper username management policies and monitoring, the risk is limited to accidental exposure rather than malicious exploitation.
🎯 Exploit Status
Exploitation requires ability to create new user accounts and knowledge of previously deleted usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.33.0
Vendor Advisory: https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2
Restart Required: Yes
Instructions:
1. Backup your lakeFS configuration and data. 2. Stop the lakeFS service. 3. Upgrade to version 1.33.0 using your package manager or deployment method. 4. Restart the lakeFS service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Username Reuse Prevention
allImplement a policy to never reuse usernames for new accounts after deletion.
🧯 If You Can't Patch
- Implement strict username management policy prohibiting reuse of any deleted usernames
- Audit all user accounts and ensure no usernames have been reused since initial deployment
🔍 How to Verify
Check if Vulnerable:
Check if your lakeFS version is below 1.33.0 and if any user accounts have been deleted since deployment.Check Version:
lakefs versionVerify Fix Applied:
After upgrading to 1.33.0, attempt to create a user with a previously deleted username and verify credentials are not inherited.📡 Detection & Monitoring
Log Indicators:
- User creation events with previously deleted usernames
- Unexpected privilege assignments to new users
Network Indicators:
- Unusual API calls from newly created user accounts
SIEM Query:
source="lakefs" AND (event="user_created" OR event="user_deleted") | stats count by username