CVE-2024-43784

CVE-2024-43784 is a medium-severity vulnerability with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-281.

Key facts

Description

lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.

Frequently asked questions

What is CVE-2024-43784?
lakeFS is an open-source tool that transforms object storage into a Git-like repository. Existing lakeFS users who have issued credentials to users who have been deleted are affected by this vulnerability. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This issue has been addressed in release version 1.33.0 and all users are advised to upgrade. The only known workaround for those who cannot upgrade is to not reuse usernames.
How severe is CVE-2024-43784?
CVE-2024-43784 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2024-43784 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-43784?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-43784 have an EU (EUVD) identifier?
Yes. CVE-2024-43784 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3356.
When was CVE-2024-43784 published?
CVE-2024-43784 was published on 2024-11-26 and last updated on 2026-06-17.

References

Other CWE-281 (Improper Preservation of Permissions) vulnerabilities

Browse all CWE-281 (Improper Preservation of Permissions) vulnerabilities →