greprules.io
Sign inSubmit rule
Explore/cve-2024-24830-openobserve-user-creation-missing-initiator-authz

CVE-2024-24830: Openobserve User Creation Missing Initiator Authz

This `post_user` handler accepts a `UserRequest` (which carries a caller-supplied `role`) but takes no `initiator_id` parameter and performs no Root/Admin authorization check on the caller. Any authenticated user can therefore create an account with elevated privileges (e.g. `UserRole::Root`), enabling vertical privilege escalation (CVE-2024-24830). Fix: add

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0rust
greprules fetch cve-2024-24830-openobserve-user-creation-missing-initiator-authz --engine opengrep

Description

This `post_user` handler accepts a `UserRequest` (which carries a caller-supplied `role`) but takes no `initiator_id` parameter and performs no Root/Admin authorization check on the caller. Any authenticated user can therefore create an account with elevated privileges (e.g. `UserRole::Root`), enabling vertical privilege escalation (CVE-2024-24830). Fix: add

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
106 downloads0 direct106 via packs
· 0 stars · Trust score 95How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata