Pelican Web UI Privilege Escalation via OIDC (CVE-2024-42571) Advisory and Mitigation

Privilege Escalation Attack Affecting Pelican Web UI Vulnerability Overview Vulnerability Type: Privilege Escalation CVSS Score: 9.0 / 10 (Critical) CVE ID: CVE-2024-42571 Description: An attacker who logs into the Pelican Web UI via OAuth can create database records, thereby obtaining server administrator privileges upon subsequent logins. This allows the attacker to modify server configurations, create persistent API tokens, and change administrator passwords. Exploitation Conditions: 1. The server must have OIDC login enabled. 2. The attacker holds an OIDC login session. 3. The server is configured with or , and the corresponding user/group of the attacker has never logged in locally to the server. Impact Scope Affected Versions: v7.21.0 to v7.24.0 (Specifically including v7.21.0-v7.21.4, v7.22.0-v7.22.2, v7.23.0-v7.23.2, v7.24.0-v7.24.1) Fixed Versions: v7.21.5, v7.22.3, v7.23.3, v7.24.2 Potentially Affected Components: Director: Configuration can be modified to point to a malicious Registry, causing federation-level denial of service. Registry: Malicious namespaces can be created, causing federation-level namespace poisoning. Origin: Write access can be enabled and export paths changed. Cache: Cache data can be exposed. Remediation 1. Audit the Database (Immediate Action) Before upgrading, it is recommended to run a script to audit the database to detect and prevent further exploitation. Script Code: Script Source GitHub Gist: https://gist.github.com/jhemstrawsc/8c4b2b3ec5cb2ca0037f94a39dc16cc9 2. Upgrade to Fixed Versions Administrators should upgrade affected versions to any of the following fixed versions: 3. Disable Vulnerable Configurations (If Immediate Upgrade Is Not Possible) If an immediate upgrade is not possible, disable the vulnerable configurations by commenting out or removing the relevant settings from . Configuration Code: Note: Disabling will completely remove OIDC-based administrator access, retaining only password-based login.

Goal Reached Thanks to every supporter — we hit 100%!

Pelican Web UI Privilege Escalation via OIDC (CVE-2024-42571) Advisory and Mitigation

More from this source