CVE-2024-43784: Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion

November 26, 2024

Existing lakeFS users who have issued credentials to users who have been deleted. Creating a new user with the same username, that user will inherit all of the previous user’s credentials lakeFS needs to delete user credentials upon user deletion.

References

github.com/advisories/GHSA-hh33-46q4-hwm2
github.com/treeverse/lakeFS
github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2
nvd.nist.gov/vuln/detail/CVE-2024-43784

Detect and mitigate CVE-2024-43784 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →