CVE-2024-30896: 
InfluxDB vulnerability analysis and mitigation

InfluxDB OSS 2.x through 2.7.11 contains a business logic vulnerability that allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. The vulnerability was discovered and reported in March 2024, affecting only InfluxDB OSS 2.x versions, while InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated, and Clustered versions are not affected (NVD, GitHub Issue).

The vulnerability stems from a business logic flaw where users with allAccess tokens can list all authorization tokens defined in the same organization, including operator tokens, through the 'influx auth ls' command or API endpoints. The issue occurs because allAccess tokens have unrestricted permissions to list all authorizations within their organization, regardless of token type. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability enables unauthorized access to the entire InfluxDB instance, potentially compromising the Confidentiality, Integrity, and Availability of data across different organizations. Since operator tokens possess administrative permissions, attackers can gain unrestricted access to the system, potentially affecting the availability and integrity of the entire InfluxDB instance (GitHub Issue).

As a temporary mitigation, administrators should avoid granting users access to the default organization where operator tokens are automatically stored during setup. It is recommended to create multiple organizations and only grant users access to secondary organizations that do not contain operator tokens. Additionally, operators should avoid storing operator tokens in non-default organizations (GitHub Issue).