CVE-2024-24830

Name of the Vulnerable Software and Affected Versions OpenObserve versions prior to 0.8.0

Description A vulnerability has been identified in the "/api/{org id}/users" endpoint, allowing any authenticated regular user to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments, residing in the user creation process where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges, leading to Unauthorized Privilege Escalation and significantly compromising the application's role-based access control system. This poses a risk to data security, impacting all users, particularly those in administrative roles.

Recommendations For versions prior to 0.8.0, upgrade to release version 0.8.0 to address the vulnerability. As a temporary workaround, consider restricting access to the "/api/{org id}/users" endpoint to minimize the risk of exploitation. Avoid using the org id and users parameters in the affected API endpoint until the issue is resolved.