Fabsx00

**Name of the Vulnerable Software and Affected Versions** Graylog versions 4.3.0 through 5.1.10 Graylog versions 4.3.0 through 5.2.3 **Description** The issue allows reauthenticating with an existing session cookie to re-use that session id, even if for different user credentials. This could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. A proxy could be leveraged to clear the `authentication` cookie for the Graylog server URL for the "/api/system/sessions" endpoint, as that is the only one vulnerable. **Recommendations** For Graylog versions 4.3.0 through 5.1.10, update to version 5.1.11 or later to resolve the issue. For Graylog versions 4.3.0 through 5.2.3, update to version 5.2.4 or later to resolve the issue. As a temporary workaround, consider using short session expiration and explicit log outs of unused sessions to limit the attack vector. Restrict access to the "/api/system/sessions" endpoint by clearing the `authentication` cookie for the Graylog server URL using a proxy.

**Name of the Vulnerable Software and Affected Versions** Graylog versions 2.0.0 through 5.1.10 Graylog versions 5.2.0 through 5.2.3 **Description** The issue allows arbitrary classes to be loaded and instantiated using a HTTP PUT request to the "/api/system/cluster config/" endpoint. Graylog's cluster config system uses fully qualified class names as config keys, and to validate the existence of the requested class, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated, executing arbitrary code during class instantiation. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. **Recommendations** For Graylog versions 2.0.0 through 5.1.10, update to version 5.1.11 or later. For Graylog versions 5.2.0 through 5.2.3, update to version 5.2.4 or later. As a temporary workaround, consider restricting access to the "/api/system/cluster config/" endpoint to minimize the risk of exploitation. Restrict access to the `java.io.File` class to prevent information exposure. Ensure that only authorized users with the `clusterconfigentry:create` and `clusterconfigentry:edit` permissions can perform requests to the vulnerable endpoint.