PT-2024-30654 · Lakefs · Lakefs
N-O-Z
·
Published
2024-11-26
·
Updated
2024-12-11
·
CVE-2024-43784
CVSS v4.0
6.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
lakeFS versions prior to 1.33.0
Description
lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this issue. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials.
Recommendations
For versions prior to 1.33.0, upgrade to release version 1.33.0 to address the issue.
As a temporary workaround for those who cannot upgrade, do not reuse usernames that were previously deleted.
Exploit
Fix
Improper Authentication
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Lakefs