CVE-2024-24824

Name of the Vulnerable Software and Affected Versions Graylog versions 2.0.0 through 5.1.10 Graylog versions 5.2.0 through 5.2.3

Description The issue allows arbitrary classes to be loaded and instantiated using a HTTP PUT request to the "/api/system/cluster config/" endpoint. Graylog's cluster config system uses fully qualified class names as config keys, and to validate the existence of the requested class, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated, executing arbitrary code during class instantiation. In the specific use case of java.io.File, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request.

Recommendations For Graylog versions 2.0.0 through 5.1.10, update to version 5.1.11 or later. For Graylog versions 5.2.0 through 5.2.3, update to version 5.2.4 or later. As a temporary workaround, consider restricting access to the "/api/system/cluster config/" endpoint to minimize the risk of exploitation. Restrict access to the java.io.File class to prevent information exposure. Ensure that only authorized users with the clusterconfigentry:create and clusterconfigentry:edit permissions can perform requests to the vulnerable endpoint.