CVE-2024-30896

Name of the Vulnerable Software and Affected Versions InfluxDB OSS versions 2.x through 2.7.11

Description The issue allows authorized users with read access to the authorization resource of the default organization to retrieve the administrative operator token. This is possible because the token is stored under the default organization. It is noted that allAccess administrators can retrieve all raw tokens via an influx auth ls command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API.

Recommendations For InfluxDB OSS versions 2.x through 2.7.11, consider adding users to non-default organizations to minimize the risk of exploitation, as the organizations feature is operating as intended. Additionally, be cautious when granting read access to the authorization resource of the default organization. At the moment, there is no information about a newer version that contains a fix for this vulnerability.