CVE-2024-43784— lakeFS 安全漏洞

Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to it's deletion

lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

权限预留不恰当

lakeFS 安全漏洞

lakeFS是Treeverse开源的一款开源工具，可将您的对象存储转换为类似 Git 的存储库。 lakeFS 1.31.1版本存在安全漏洞，该漏洞源于当创建的新用户使用了已删除用户的用户名时，新用户会继承原用户的所有凭证。这可能导致权限不当分配或敏感操作的执行。

N/A

N/A