lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.
History

Tue, 26 Nov 2024 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 Nov 2024 20:30:00 +0000

Type Values Removed Values Added
Description lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.
Title Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to it's deletion
Weaknesses CWE-281
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-26T20:17:56.482Z

Updated: 2024-11-26T21:37:39.411Z

Reserved: 2024-08-16T14:20:37.323Z

Link: CVE-2024-43784

cve-icon Vulnrichment

Updated: 2024-11-26T21:37:12.346Z

cve-icon NVD

Status : Received

Published: 2024-11-26T21:15:07.160

Modified: 2024-11-26T21:15:07.160

Link: CVE-2024-43784

cve-icon Redhat

No data.