logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-41044 org.graylog2:graylog2-server

Package

Manager: maven
Name: org.graylog2:graylog2-server
Vulnerable Version: >=5.1.0 <5.1.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00203 pctl0.42637

Details

Graylog server has partial path traversal vulnerability in Support Bundle feature A partial path traversal vulnerability exists in Graylog's [Support Bundle](https://go2docs.graylog.org/5-1/making_sense_of_your_log_data/cluster_support_bundle.htm) feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. ### Impact Graylog's Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory. The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `<data_dir>/support-bundle`. Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name. The vulnerability would allow the download or deletion of files in the following example directories. - `/var/lib/graylog-server/support-bundle-test` - `/var/lib/graylog-server/support-bundlesdirectory` For the [Graylog](https://hub.docker.com/r/graylog/graylog) and [Graylog Enterprise](https://hub.docker.com/r/graylog/graylog-enterprise) Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default. ### Patches The vulnerability is fixed in Graylog version 5.1.3 and later. ### Workarounds Block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog. - `GET /api/system/debug/support/bundle/download/{filename}` - `DELETE /api/system/debug/support/bundle/{filename}`

Metadata

Created: 2023-07-06T20:53:15Z
Modified: 2023-08-31T18:52:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-2q4p-f6gf-mqr5/GHSA-2q4p-f6gf-mqr5.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-2q4p-f6gf-mqr5
Finding: F063
Auto approve: 1