CVE-2024-30896
published 2024-11-21CVE-2024-30896: InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the…
PriorityP264critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
5.17%
91.4th percentile
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | influxdb | — | — |
| msrc | azl3_influxdb_2.7.5-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_influxdb_2.7.5-13_on_azure_linux_3.0 | — | — |
| msrc | azl3_influxdb_2.7.5-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_influxdb_2.7.5-8_on_azure_linux_3.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-22_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-23_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-24_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-27_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-28_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_influxdb_2.6.1-30_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for calls to the InfluxDB authorizations API endpoint (find_authorizations / GET /api/v2/authorizations) by non-operator users, especially those filtering for permissions with action='write' and resource.type='authorizations' with org=None, which is the programmatic method used to identify operator tokens. ↗
- →Alert on execution of 'influx auth ls' CLI commands, particularly when piped with grep for 'write:/orgs', as this is the CLI-based exploitation path to enumerate operator-level tokens. ↗
- →Detect use of the Python exploit script CVE-2024-30896.py or the influxdb_client library version 1.41.0 making authorization enumeration calls against InfluxDB OSS 2.x instances. ↗
- →Privilege escalation indicator: an allAccess token (scoped to a specific org) being used to retrieve tokens with global write:/orgs permissions (operator-level), indicating token harvesting for privilege escalation. ↗
- ·The vulnerability requires the attacker's allAccess token to have been created in the same organization where the operator token resides (e.g., the default/admin org). Placing users in non-default organizations mitigates exposure. ↗
- ·The supplier considers the organizations feature to be operating as intended; however, a future release will remove the ability to retrieve raw tokens from the API. InfluxDB 2.8.0 has addressed this issue. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv9.1CRITICAL
vendor_debian9.1LOW
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r5vq-m2mp-cpfj: InfluxDB through 2
ghsa_unreviewed·2024-11-27
CVE-2024-30896 [CRITICAL] CWE-922 GHSA-r5vq-m2mp-cpfj: InfluxDB through 2
InfluxDB through 2.7.10 allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. NOTE: the supplier indicates that this is intentional but is a "poor design choice" that will be changed in a future release.
OSV
CVE-2024-30896: InfluxDB OSS 2
osv·2024-11-21·CVSS 9.1
CVE-2024-30896 [CRITICAL] CVE-2024-30896: InfluxDB OSS 2
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue.
Red Hat
InfluxDB: Privilege Escalation via Authorization Token in InfluxDB
vendor_redhat·2024-11-21·CVSS 9.1
CVE-2024-30896 [CRITICAL] InfluxDB: Privilege Escalation via Authorization Token in InfluxDB
InfluxDB: Privilege Escalation via Authorization Token in InfluxDB
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that Influ
Microsoft
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default orga
vendor_msrc·2024-11-12·CVSS 9.1
CVE-2024-30896 [CRITICAL] CWE-922 InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default orga
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefor
Debian
CVE-2024-30896: influxdb - InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under t...
vendor_debian·2024·CVSS 9.1
CVE-2024-30896 [CRITICAL] CVE-2024-30896: influxdb - InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under t...
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and Clustered are not affected. NOTE: The researcher states that InfluxDB allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. The supplier indicates that the organizations feature is operating as intended and that users may choose to add users to non-default organizations. A future release of InfluxDB 2.x will remove the ability to retrieve tokens from the API. The supplier has stated that InfluxDB 2.8.0 has addressed this issue.
Scope: local
bookworm: resolved
No detection rules found.
2024-11-21
Published