OpenObserve, a robust observability platform designed for logs, metrics, traces, and analytics at petabyte scale, has been flagged with a critical vulnerability. The flaw resides in the “/api/{org_id}/users” endpoint, allowing authenticated regular users (‘member’) to add new users with elevated privileges, including the coveted ‘root’ role, to an organization.
This exploit bypasses the intended security controls for role assignments, particularly compromising the application’s role-based access control system during the user creation process.
The crux of the issue lies in the inadequate validation of user roles in the payload during the user creation process. This deficiency permits a regular user to manipulate the payload, effectively assigning root-level privileges. This vulnerability translates into Unauthorized Privilege Escalation, providing unauthorized control over crucial application resources.
The scope of impact extends to all users, with a particular emphasis on those in administrative roles. The gravity of the situation is underscored by the assigned CVSS scores, with NIST rating it at 8.8 (HIGH) and the CNA (GitHub, Inc.) scoring it at 9.9 (CRITICAL).
The development team has promptly addressed this issue in release version 0.8.0, and users are strongly urged to upgrade to mitigate potential risks. Unfortunately, there are no known workarounds for this vulnerability, emphasizing the importance of a swift and thorough response to maintain the integrity of OpenObserve’s observability platform.
