CVE-2024-49581
📋 TL;DR
CVE-2024-49581 is an authorization bypass vulnerability in Palantir Foundry's Object Explorer where users without proper permissions could view restricted objects under specific circumstances. This only affected authenticated users within the same organization and did not allow cross-organizational or unauthenticated access. The vulnerability has been patched and automatically deployed to all Apollo-managed Foundry instances.
💻 Affected Systems
- Palantir Foundry
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authorized users could access sensitive restricted objects they shouldn't have permission to view, potentially exposing confidential business data or intellectual property.
Likely Case
Users with some access privileges could inadvertently or intentionally view additional restricted objects beyond their intended permissions, leading to data exposure within organizational boundaries.
If Mitigated
With proper access controls and monitoring, the impact is limited to potential unauthorized viewing of some restricted objects by authenticated users who already have some level of system access.
🎯 Exploit Status
Exploitation requires specific circumstances and authenticated access. The advisory indicates it was a software bug in authorization logic for object viewing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Automatically deployed patch (specific version not disclosed)
Vendor Advisory: https://palantir.safebase.us/?tcuUid=b60db1ee-4b1a-475d-848e-c5a670a0da16
Restart Required: No
Instructions:
For Apollo-managed Foundry instances: The patch has been automatically deployed. No customer action required. For self-managed instances: Contact Palantir support for patching instructions.
🔧 Temporary Workarounds
Restrict Object Explorer Access
allTemporarily limit or monitor Object Explorer usage for sensitive data until patch is confirmed applied
No specific commands - implement via Foundry access controls
🧯 If You Can't Patch
- Implement enhanced monitoring of Object Explorer access patterns and user behavior
- Review and tighten existing access controls for sensitive objects and data
🔍 How to Verify
Check if Vulnerable:
Check with Palantir support or review system logs for unauthorized object access attempts in Object ExplorerCheck Version:
Contact Palantir support for version verification as this is a cloud serviceVerify Fix Applied:
Confirm with Palantir that your instance has received the automatic patch deployment📡 Detection & Monitoring
Log Indicators:
- Unusual Object Explorer access patterns
- Users accessing object types outside their normal patterns
- Failed authorization attempts followed by successful object views
Network Indicators:
- Not applicable - this is an application-layer authorization bypass
SIEM Query:
Search for Object Explorer access logs where user permissions don't match accessed object types or where access patterns deviate from baseline