Gaby

**Name of the Vulnerable Software and Affected Versions** OpenObserve versions prior to 0.14.1 **Description** A vulnerability in the user management endpoint `/api/{org id}/users/{email id}` allows an "Admin" role user to remove a "Root" user from the organization, violating the intended privilege hierarchy. This is due to insufficient role checks in the `remove user from org` function, enabling a non-root user to remove the highest-privileged account. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org id}/users/{email id}` endpoint is affected. **Recommendations** For OpenObserve versions prior to 0.14.1, upgrade to release version 0.14.1 to address the issue. As a temporary workaround, consider restricting access to the `remove user from org` function or the `/api/{org id}/users/{email id}` endpoint to prevent "Admin" users from removing "Root" users until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** pyrage versions 1.2.0 through 1.2.2 **Description** The issue concerns the execution of arbitrary binaries due to malicious plugin names, recipients, or identities. This can occur when a plugin name containing a path separator is provided to the `age` CLI or certain `age` APIs, such as `age::plugin::Identity::from str` or `age::plugin::Recipient::from str`. The attack requires a directory matching `age-plugin-*` to exist in the working directory on UNIX systems. The binary is executed with a specific flag and receives the recipient or identity string and other data as standard input, following the `age-plugin` protocol. An equivalent issue was fixed in the reference Go implementation of `age`. **Recommendations** For pyrage versions 1.2.0 through 1.2.2, update to version 1.2.3 to address the issue. As a temporary workaround, consider disabling the plugin feature to minimize the risk of exploitation. Restrict access to the `age-plugin-*` directory to prevent the attack from succeeding. Avoid using plugin names containing path separators in the affected `age` APIs until the issue is resolved. At the moment, there are no other known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fiber versions prior to 2.52.1 **Description** The issue is related to the CORS middleware in Fiber, which allows for insecure configurations. Specifically, it permits setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. This misconfiguration can lead to unauthorized access to sensitive user data and expose the system to various types of attacks. The impact of this issue is high. **Recommendations** For Fiber versions prior to 2.52.1, as a temporary workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. For Fiber versions prior to 2.52.1, update to version 2.52.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenObserve versions prior to 0.8.0 **Description** A vulnerability has been identified in the "/api/{org id}/users" endpoint, allowing any authenticated regular user to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments, residing in the user creation process where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges, leading to Unauthorized Privilege Escalation and significantly compromising the application's role-based access control system. This poses a risk to data security, impacting all users, particularly those in administrative roles. **Recommendations** For versions prior to 0.8.0, upgrade to release version 0.8.0 to address the vulnerability. As a temporary workaround, consider restricting access to the "/api/{org id}/users" endpoint to minimize the risk of exploitation. Avoid using the `org id` and `users` parameters in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: OpenObserve versions prior to 0.8.0 Description: A critical issue has been identified in the "/api/{org id}/users/{email id}" endpoint, allowing any authenticated user within an organization to remove any other user, including those with "Admin" and "Root" roles, due to a lack of proper access control. This is caused by the `remove user from org` function not checking for appropriate administrative privileges. The impact is severe, compromising user management integrity and potentially leading to unauthorized system access, administrative lockout, or operational disruptions. Recommendations: For OpenObserve versions prior to 0.8.0, upgrade to release version 0.8.0 to address the issue. As a temporary workaround, consider restricting access to the "/api/{org id}/users/{email id}" endpoint or disabling the `remove user from org` function until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** Fiber versions prior to 2.50.0 **Description** A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application, specifically due to the lack of token association with the original requestor. **Recommendations** For versions prior to 2.50.0, upgrade to version 2.50.0 or later to address the vulnerability. As a temporary workaround, consider implementing proper CSRF protection mechanisms, such as the Double Submit Cookie method or the Synchronizer Token Pattern using sessions. Additionally, users should take extra security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.