UBUNTU-CVE-2024-30896

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-30896

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-30896

Upstream

CVE-2024-30896

Published

2024-11-21T11:15:00Z

Modified

2026-01-20T17:52:37.403511Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue.

References

Affected packages

Ubuntu:16.04:LTS

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@0.10.0+dfsg1-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.4+dfsg1-1

0.9.6.1+dfsg1-3

0.10.0+dfsg1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "0.10.0+dfsg1-1"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "0.10.0+dfsg1-1"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "0.10.0+dfsg1-1"
        },
        {
            "binary_name": "influxdb-dev",
            "binary_version": "0.10.0+dfsg1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"

Ubuntu:18.04:LTS

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@1.1.1+dfsg1-4+deb9u1ubuntu1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.1+dfsg1-4

1.1.1+dfsg1-4+deb9u1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "1.1.1+dfsg1-4+deb9u1ubuntu1"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "1.1.1+dfsg1-4+deb9u1ubuntu1"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "1.1.1+dfsg1-4+deb9u1ubuntu1"
        },
        {
            "binary_name": "influxdb-dev",
            "binary_version": "1.1.1+dfsg1-4+deb9u1ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"

Ubuntu:20.04:LTS

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@1.6.4-1+deb10u1ubuntu0.2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.4-1build1

1.6.4-1+deb10u1build0.20.04.1

1.6.4-1+deb10u1ubuntu0.1

1.6.4-1+deb10u1ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "1.6.4-1+deb10u1ubuntu0.2"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "1.6.4-1+deb10u1ubuntu0.2"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "1.6.4-1+deb10u1ubuntu0.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"

Ubuntu:22.04:LTS

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@1.6.7~rc0-1ubuntu0.22.04.3?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.7~rc0-1

1.6.7~rc0-1ubuntu0.22.04.1

1.6.7~rc0-1ubuntu0.22.04.2

1.6.7~rc0-1ubuntu0.22.04.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "1.6.7~rc0-1ubuntu0.22.04.3"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "1.6.7~rc0-1ubuntu0.22.04.3"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "1.6.7~rc0-1ubuntu0.22.04.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"

Ubuntu:24.04:LTS

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@1.6.7~rc0-2ubuntu0.24.04.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.7~rc0-2build1

1.6.7~rc0-2ubuntu0.24.04.1

1.6.7~rc0-2ubuntu0.24.04.2

1.6.7~rc0-2ubuntu0.24.04.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "1.6.7~rc0-2ubuntu0.24.04.3"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "1.6.7~rc0-2ubuntu0.24.04.3"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "1.6.7~rc0-2ubuntu0.24.04.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"

Ubuntu:25.10

influxdb

Package

Name: influxdb
Purl: pkg:deb/ubuntu/influxdb@1.6.7~rc0-2build1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.7~rc0-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-influxdb-influxdb-dev",
            "binary_version": "1.6.7~rc0-2build1"
        },
        {
            "binary_name": "influxdb",
            "binary_version": "1.6.7~rc0-2build1"
        },
        {
            "binary_name": "influxdb-client",
            "binary_version": "1.6.7~rc0-2build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-30896.json"