An escalation of privileges vulnerability exists in Seq versions 2022.1.7378 to 2024.1.11028 inclusive.
Servers with:
Users in the "Project Owner" or "Organization Owner" roles, or
API keys carrying Project or Organization, but not System permissions,
are affected. These users, and those holding affected API keys, can use them to acquire System permissions.
Datalust recommends upgrading impacted instances to Seq 2024.1.11146 / datalust/seq:2024.1.11146, which is a highly-compatible in-place update for all versions in the affected range.
Servers running Seq 2023.4, which is within its support window, may alternatively upgrade to patch 2023.4.11151 (available via https://datalust.co/download/all, or the corresponding datalust/seq tag), which also addresses the issue.
The issue can also be worked around without upgrading, by:
Changing users in the affected "Project Owner" and "Organization Owner" roles to "User (read/write)", and
Removing Project and Organization permissions from any API keys that carry them but do not also carry System.
This issue was identified by Datalust during regular internal testing.
An escalation of privileges vulnerability exists in Seq versions 2022.1.7378 to 2024.1.11028 inclusive.
Servers with:
ProjectorOrganization, but notSystempermissions,are affected. These users, and those holding affected API keys, can use them to acquire
Systempermissions.Datalust recommends upgrading impacted instances to Seq 2024.1.11146 /
datalust/seq:2024.1.11146, which is a highly-compatible in-place update for all versions in the affected range.Servers running Seq 2023.4, which is within its support window, may alternatively upgrade to patch 2023.4.11151 (available via https://datalust.co/download/all, or the corresponding
datalust/seqtag), which also addresses the issue.The issue can also be worked around without upgrading, by:
ProjectandOrganizationpermissions from any API keys that carry them but do not also carrySystem.This issue was identified by Datalust during regular internal testing.