CVE-2024-24823

Name of the Vulnerable Software and Affected Versions Graylog versions 4.3.0 through 5.1.10 Graylog versions 4.3.0 through 5.2.3

Description The issue allows reauthenticating with an existing session cookie to re-use that session id, even if for different user credentials. This could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. A proxy could be leveraged to clear the authentication cookie for the Graylog server URL for the "/api/system/sessions" endpoint, as that is the only one vulnerable.

Recommendations For Graylog versions 4.3.0 through 5.1.10, update to version 5.1.11 or later to resolve the issue. For Graylog versions 4.3.0 through 5.2.3, update to version 5.2.4 or later to resolve the issue. As a temporary workaround, consider using short session expiration and explicit log outs of unused sessions to limit the attack vector. Restrict access to the "/api/system/sessions" endpoint by clearing the authentication cookie for the Graylog server URL using a proxy.