CVE-2024-43784

lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/treeverse/lakeFS/releases/tag/v1.33.0
https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2

Configurations

No configuration.

History

No history.

Information

Published : 2024-11-26 21:15

Updated : 2024-11-26 21:15

NVD link : CVE-2024-43784

Mitre link : CVE-2024-43784

CVE.ORG link : CVE-2024-43784

JSON object : View

Products Affected

No product.

CWE

CWE-281

Improper Preservation of Permissions

{"id": "CVE-2024-43784", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 0.9}]}, "published": "2024-11-26T21:15:07.160", "references": [{"url": "https://github.com/treeverse/lakeFS/releases/tag/v1.33.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-281"}]}], "descriptions": [{"lang": "en", "value": "lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames."}, {"lang": "es", "value": "lakeFS es una herramienta de c\u00f3digo abierto que transforma el almacenamiento de objetos en un repositorio similar a Git. Los usuarios de lakeFS existentes que han emitido credenciales a usuarios que han sido eliminados se ven afectados por esta vulnerabilidad. Al crear un nuevo usuario con el mismo nombre de usuario que un usuario eliminado, ese usuario heredar\u00e1 todas las credenciales del usuario anterior. Este problema se ha solucionado en la versi\u00f3n 1.33.0 y se recomienda a todos los usuarios que actualicen. El \u00fanico workaround conocido para aquellos que no pueden actualizar es no reutilizar los nombres de usuario."}], "lastModified": "2024-11-26T21:15:07.160", "sourceIdentifier": "security-advisories@github.com"}