An escalation of privileges vulnerability exists in Seq versions 2022.1.7378 to 2024.1.11028 inclusive.
Servers with:
Users in the "Project Owner" or "Organization Owner" roles, or
API keys carrying Project or Organization, but not System permissions,
are affected. These users, and those holding affected API keys, can use them to acquire System permissions.
Datalust recommends upgrading impacted instances to Seq 2024.1.11146 / datalust/seq:2024.1.11146, which is a highly-compatible in-place update for all versions in the affected range.
Servers running Seq 2023.4, which is within its support window, may alternatively upgrade to patch 2023.4.11151 (available via https://datalust.co/download/all, or the corresponding datalust/seq tag), which also addresses the issue.
The issue can also be worked around without upgrading, by:
Changing users in the affected "Project Owner" and "Organization Owner" roles to "User (read/write)", and
Removing Project and Organization permissions from any API keys that carry them but do not also carry System.
This issue was identified by Datalust during regular internal testing.
An escalation of privileges vulnerability exists in Seq versions 2022.1.7378 to 2024.1.11028 inclusive.
Servers with:
Project
orOrganization
, but notSystem
permissions,are affected. These users, and those holding affected API keys, can use them to acquire
System
permissions.Datalust recommends upgrading impacted instances to Seq 2024.1.11146 /
datalust/seq:2024.1.11146
, which is a highly-compatible in-place update for all versions in the affected range.Servers running Seq 2023.4, which is within its support window, may alternatively upgrade to patch 2023.4.11151 (available via https://datalust.co/download/all, or the corresponding
datalust/seq
tag), which also addresses the issue.The issue can also be worked around without upgrading, by:
Project
andOrganization
permissions from any API keys that carry them but do not also carrySystem
.This issue was identified by Datalust during regular internal testing.