Oasisk

Name of the Vulnerable Software and Affected Versions: OpenObserve versions prior to 0.8.0 Description: A critical issue has been identified in the "/api/{org id}/users/{email id}" endpoint, allowing any authenticated user within an organization to remove any other user, including those with "Admin" and "Root" roles, due to a lack of proper access control. This is caused by the `remove user from org` function not checking for appropriate administrative privileges. The impact is severe, compromising user management integrity and potentially leading to unauthorized system access, administrative lockout, or operational disruptions. Recommendations: For OpenObserve versions prior to 0.8.0, upgrade to release version 0.8.0 to address the issue. As a temporary workaround, consider restricting access to the "/api/{org id}/users/{email id}" endpoint or disabling the `remove user from org` function until the upgrade can be applied.