CVE-2024-30896

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Nov 21, 2024
Updated: Dec 3, 2024
CWE ID 922

Summary

CVE-2024-30896 is a vulnerability affecting InfluxDB Open Source Edition 2.x through 2.7.11, where the administrative operator token is stored in the default organization. Authorized users with read access to the authorization resource of the default organization can retrieve the operator token, posing a security risk. Notably, InfluxDB 1.x, Enterprise, Cloud, Cloud Dedicated, and Clustered versions are not vulnerable. The supplier acknowledges the issue but maintains that users have the option to add users to non-default organizations. A planned future release of InfluxDB 2.x will eliminate the API functionality that enables token retrieval.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Influxdata Influxdb

Affected Vendors

  • InfluxData