HIGH🇬🇧 English

CVE-2026-39361

CVSS 7.7v3.1pub. 2026-04-07upd. 2026-04-14

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • Openobserve

    APP
    Openobserve
    ≤ 0.70.3
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2024-24830CRITICAL9.9PL ✓ten sam produkt

OpenObserve: privilege escalation przez endpoint dodawania użytkowników

CVE-2024-25106CRITICAL9.1PL ✓ten sam produkt

OpenObserve: nieautoryzowane usuwanie użytkowników przez dowolnego członka organizacji

CVE-2024-41808HIGH8.8ten sam produkt

The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the v...

CVE-2024-41809HIGH7.2ten sam produkt

OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, O...