CVE-2024-48729

CVE-2024-48729 is a broken object level authorization (BOLA) vulnerability in the ETSI Open-Source MANO (OSM) platform, specifically within the /osm/admin/v1/users API endpoint. The issue arises because the component fails to enforce proper authorization checks on user management operations, allowing a remote authenticated attacker to perform actions on other users' accounts without sufficient privileges [1].

An attacker with a valid authenticated session can exploit this by sending crafted HTTP requests to the /osm/admin/v1/users endpoint. This enables the attacker to replace credentials of other users (account takeover), assign themselves higher-privileged roles (privilege escalation), or reassign roles to legitimate users causing a denial of service [1]. No special network position or additional authentication is required beyond the attacker's own valid session.

The impact of successful exploitation is severe. An attacker can gain administrative control over the OSM MANO instance, potentially compromising the entire NFV management and orchestration infrastructure. This includes the ability to manipulate Virtualized Network Functions (VNFs) and other critical components managed by OSM [1]. The vulnerability affects OSM versions 14.0.x before 14.0.3, 15.0.x before 15.0.2, 16.0.0, and 17.0.0.

ETSI has addressed this vulnerability with patches released in OSM versions 14.0.3 and 15.0.2. Users of affected versions should upgrade immediately. No workarounds have been published, and upgrading to a fixed version is the recommended mitigation [1].