| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1ce2-9qbs-f3gj |
| vulnerability_id |
VCID-1ce2-9qbs-f3gj |
| summary |
Graylog Allows Stored Cross-Site Scripting via Files Plugin and API Browser
### Impact
Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack.
An attacker with the permission `FILES_CREATE` can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application.
This enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session.
### Patches
The generic API has been removed in 6.2.0 rendering the attack vector unreachable and additional escaping has been added.
Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-q9q2-3ppx-mwqf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1ce2-9qbs-f3gj |
|
| 1 |
|
| 2 |
| url |
VCID-3ry5-zffa-hbbd |
| vulnerability_id |
VCID-3ry5-zffa-hbbd |
| summary |
Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recommended practice since 2008, when Dan Kaminsky discovered how easy is to carry out DNS cache poisoning attacks. In order to prevent cache poisoning with spoofed DNS responses, it is necessary to maximise the uncertainty in the choice of a source port for a DNS query. Although unlikely in many setups, an external attacker could inject forged DNS responses into a Graylog's lookup table cache. In order to prevent this, it is at least recommendable to distribute the DNS queries through a pool of distinct sockets, each of them with a random source port and renew them periodically. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. There are no known workarounds for this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-41045, GHSA-g96c-x7rh-99r3, GMS-2023-1862
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ry5-zffa-hbbd |
|
| 3 |
|
| 4 |
| url |
VCID-atsa-zxpc-mkhx |
| vulnerability_id |
VCID-atsa-zxpc-mkhx |
| summary |
Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). Versions 6.0.14, 6.1.10, and 6.2.0 fix the issue. No known workarounds are available, as long as the relatively rare prerequisites are met. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-46827, GHSA-76vf-mpmx-777j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-atsa-zxpc-mkhx |
|
| 5 |
|
| 6 |
| url |
VCID-x9gc-uxqm-k7dn |
| vulnerability_id |
VCID-x9gc-uxqm-k7dn |
| summary |
Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. This will execute arbitrary code that is run during class instantiation. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. Versions 5.1.11 and 5.2.4 contain a fix for this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-24824, GHSA-p6gg-5hf4-4rgj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x9gc-uxqm-k7dn |
|
| 7 |
| url |
VCID-zuqe-t8gc-sucq |
| vulnerability_id |
VCID-zuqe-t8gc-sucq |
| summary |
Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the database. After that, the node operates solely on the cached session. Modifications to sessions will update the cached version as well as the session persisted in the database. However, each node maintains their isolated version of the session. When the user logs out, the session is removed from the node-local cache and deleted from the database. The other nodes will however still use the cached session. These nodes will only fail to accept the session id if they intent to update the session in the database. They will then notice that the session is gone. This is true for most API requests originating from user interaction with the Graylog UI because these will lead to an update of the session's "last access" timestamp. If the session update is however prevented by setting the `X-Graylog-No-Session-Extension:true` header in the request, the node will consider the (cached) session valid until the session is expired according to its timeout setting. No session identifiers are leaked. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-41041, GHSA-3fqm-frhg-7c85, GMS-2023-1861
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zuqe-t8gc-sucq |
|
|
|---|