CVE-2024-43784: 
vulnerability analysis and mitigation

CVE-2024-43784 affects lakeFS, an open-source tool that transforms object storage into a Git-like repository. The vulnerability impacts existing lakeFS users who have issued credentials to deleted users. When creating a new user with the same username as a deleted user, that user will inherit all of the previous user's credentials. This vulnerability was discovered and disclosed on November 26, 2024, and has been addressed in release version 1.33.0 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L. The vulnerability is classified under CWE-281 (Improper Preservation of Permissions). The issue stems from the system's failure to properly handle user credential cleanup during user deletion, allowing credential inheritance when usernames are reused (GitHub Advisory).

When exploited, this vulnerability allows new users created with previously used usernames to inherit all credentials that belonged to the deleted user. This could lead to unauthorized access to resources and potential security breaches, particularly if the previous user had significant access permissions (GitHub Advisory).

The vulnerability has been fixed in lakeFS version 1.33.0, and all users are advised to upgrade to this version. For users who cannot immediately upgrade, the only known workaround is to avoid reusing usernames of deleted users (GitHub Advisory, GitHub Release).