CVE-2024-55954

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-55954
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55954.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-55954
Aliases
  • GHSA-m8gj-6r85-3r6m
Published
2025-01-16T19:30:39.218Z
Modified
2026-04-10T05:18:38.032752Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
OpenObserve Improper Authorization Allows Admin User to Remove Root User
Details

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/{org_id}/users/{email_id} allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the remove_user_from_org function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The DELETE /api/{org_id}/users/{email_id} endpoint is affected. This issue has been addressed in release version 0.14.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55954.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-272",
        "CWE-284",
        "CWE-285",
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/openobserve/openobserve

Affected ranges

Type
GIT
Repo
https://github.com/openobserve/openobserve
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
adc52c1ed1c2147b891b3a9a40943dd7992565bb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.14.1"
        }
    ]
}

Affected versions

v0.*
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.10.1
v0.10.2
v0.10.2-rc1
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.6-rc1
v0.10.6-rc2
v0.10.7
v0.10.7-rc1
v0.10.7-rc2
v0.10.7-rc3
v0.10.8
v0.10.8-rc1
v0.10.8-rc2
v0.10.8-rc3
v0.10.8-rc4
v0.10.8-rc5
v0.10.9
v0.10.9-rc1
v0.10.9-rc2
v0.10.9-rc3
v0.10.9-rc4
v0.11.0
v0.11.0-rc1
v0.11.0-rc2
v0.11.0-rc3
v0.12.0
v0.12.0-rc1
v0.12.0-rc2
v0.12.1
v0.13.0
v0.13.0-rc1
v0.13.0-rc2
v0.13.1
v0.13.1-rc1
v0.13.1-rc2
v0.13.1-rc3
v0.13.2-rc1
v0.13.2-rc2
v0.13.2-rc3
v0.13.2-rc4
v0.14.0
v0.14.1-rc1
v0.14.1-rc2
v0.14.1-rc3
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.0-rc1
v0.7.0-rc2
v0.7.2
v0.7.2-rc1
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.1
v0.8.1-rc1
v0.8.1-rc2
v0.8.2-rc1
v0.8.2-rc2
v0.8.2-rc3
v0.8.2-rc4
v0.8.2-rc5
v0.8.2-rc6
v0.8.2-rc7
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.0-rc4
v0.9.0-rc5
v0.9.0-rc6
v0.9.0-rc7
v0.9.0-rc8
v0.9.1
v0.9.2-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55954.json"