CVE-2024-55954
📋 TL;DR
This vulnerability in OpenObserve allows users with 'Admin' role privileges to delete 'Root' user accounts, bypassing intended privilege hierarchy. This affects all OpenObserve deployments with multiple users where at least one user has Admin privileges. An attacker with Admin access could remove the highest-privileged accounts, potentially gaining full control.
💻 Affected Systems
- OpenObserve
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete organizational takeover where all Root users are removed, leaving only Admin users who can then modify all settings, access all data, and potentially lock out legitimate administrators.
Likely Case
Targeted removal of specific Root users by malicious or compromised Admin accounts, leading to privilege escalation and potential data manipulation or exfiltration.
If Mitigated
Limited impact if strong access controls, monitoring, and least privilege principles are already implemented, with quick detection of unauthorized user deletions.
🎯 Exploit Status
Requires authenticated Admin user access. Exploitation is straightforward once Admin credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.1
Vendor Advisory: https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m
Restart Required: No
Instructions:
1. Backup your OpenObserve configuration and data. 2. Stop the OpenObserve service. 3. Upgrade to version 0.14.1 using your deployment method (Docker, binary, etc.). 4. Restart the service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for Admin users, especially those with DELETE permissions on user endpoints.
- Consider temporarily demoting Admin users to lower privilege roles until patching is possible, while maintaining operational needs.
🔍 How to Verify
Check if Vulnerable:
Check your OpenObserve version. If it's below 0.14.1 and you have multiple users with Admin and Root roles, you are vulnerable.Check Version:
Check the OpenObserve web interface dashboard or run the service with --version flag if using binary deployment.Verify Fix Applied:
After upgrading to 0.14.1, verify that Admin users can no longer delete Root users by testing the DELETE endpoint with Admin credentials.📡 Detection & Monitoring
Log Indicators:
- DELETE requests to /api/{org_id}/users/{email_id} endpoints where the target user has Root role
- Unauthorized user deletion events in audit logs
- Changes to user privilege levels without proper authorization
Network Indicators:
- HTTP DELETE requests to user management API endpoints from non-Root user accounts
SIEM Query:
source="openobserve" AND (http_method="DELETE" AND uri_path="/api/*/users/*") AND user_role!="root"