org.graylog2:graylog2-server 5.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.graylog2:graylog2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Session Fixation org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Session Fixation due to the improper handling of session cookies. An attacker can gain elevated access to an existing login session by injecting their session cookie into another user's browser. This attack requires presenting a spoofed login screen and injecting a session cookie, which is complex and has not been observed in the wild. How to fix Session Fixation? Upgrade `org.graylog2:graylog2-server` to version 5.1.11, 5.2.4 or higher.	[4.3.0,5.1.11)[5.2.0-alpha.1,5.2.4)
H Improper Access Control org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Improper Access Control via the `/api/system/cluster_config/` endpoint. An attacker can execute arbitrary code that is run during class instantiation by sending a specially crafted HTTP PUT request. Note: This is only exploitable if the attacker possesses the `clusterconfigentry:create` and `clusterconfigentry:edit` permissions, which are typically only granted to `Admin` users. How to fix Improper Access Control? Upgrade `org.graylog2:graylog2-server` to version 5.1.11, 5.2.4 or higher.	[2.0.0,5.1.11)[5.2.0-alpha.1,5.2.4)

Vulnerability

Vulnerable Version

Session Fixation

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Session Fixation due to the improper handling of session cookies. An attacker can gain elevated access to an existing login session by injecting their session cookie into another user's browser. This attack requires presenting a spoofed login screen and injecting a session cookie, which is complex and has not been observed in the wild.

How to fix Session Fixation?

Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.

[4.3.0,5.1.11)[5.2.0-alpha.1,5.2.4)

Improper Access Control

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Improper Access Control via the /api/system/cluster_config/ endpoint. An attacker can execute arbitrary code that is run during class instantiation by sending a specially crafted HTTP PUT request.

Note:

This is only exploitable if the attacker possesses the clusterconfigentry:create and clusterconfigentry:edit permissions, which are typically only granted to Admin users.

How to fix Improper Access Control?

Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.

[2.0.0,5.1.11)[5.2.0-alpha.1,5.2.4)

org.graylog2:graylog2-server@5.2.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?