Name of the Vulnerable Software and Affected Versions:

Graylog versions prior to 5.0.9

Graylog versions prior to 5.1.3

Description:

The issue is related to the incorrect session expiration in a multi-node Graylog cluster. After a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions, and when the user logs out, the session is removed from the node-local cache and deleted from the database. However, other nodes will still use the cached session until they attempt to update the session in the database. If the session update is prevented by setting the `X-Graylog-No-Session-Extension:true` header in the request, the node will consider the cached session valid until the session is expired according to its timeout setting. No session identifiers are leaked, but if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster.

Recommendations:

For Graylog versions prior to 5.0.9, upgrade to version 5.0.9 or later.

For Graylog versions prior to 5.1.3, upgrade to version 5.1.3 or later.

As a temporary workaround, consider setting the `X-Graylog-No-Session-Extension:true` header in API requests to prevent session updates and minimize the risk of exploitation.