{"uuid": "10e166b3-b382-46d8-88d2-d3b85be88604", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-55954", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/2020", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-55954\n\ud83d\udd39 Description: OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an \"Admin\" role user to remove a \"Root\" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an \"Admin\" user from removing a \"Root\" user. As a result, an attacker with an \"Admin\" role can remove critical \"Root\" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.\n\ud83d\udccf Published: 2025-01-16T19:30:39.218Z\n\ud83d\udccf Modified: 2025-01-16T19:30:39.218Z\n\ud83d\udd17 References:\n1. https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m\n2. https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631", "creation_timestamp": "2025-01-16T19:56:03.000000Z"}