org.graylog2:graylog2-server 0.21.0-beta4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.graylog2:graylog2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the plugins and API Browser. An attacker with the `FILES_CREATE` permission can upload and execute arbitrary Javascript, leading to unauthorized actions performed with the permissions of the logged-in user. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 6.2.0 or higher.	[,6.2.0)
H Cross-site Scripting (XSS) org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `Event Definition Remediation Step` field. An attacker can obtain user session cookies by submitting an HTML form. Note: This is only exploitable if the attacker has a user account with permissions to create event definitions, and the victim must have permissions to view alerts. Additionally, an active Input capable of receiving form data must be present on the server. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 6.0.14, 6.1.10 or higher.	[,6.0.14)[6.1.0,6.1.10)
M Insecure Randomness org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Insecure Randomness such that an external attacker could inject forged DNS responses into a Graylog's lookup table cache. Graylog seems to bind a single socket for outgoing DNS queries. That socket is bound to a random port number which is not changed again. How to fix Insecure Randomness? Upgrade `org.graylog2:graylog2-server` to version 5.0.9, 5.1.3 or higher.	[,5.0.9)[5.1.0,5.1.3)
M Directory Traversal org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Directory Traversal. When starting Graylog with the JVM `-cp` classpath options, instead of using the default `-jar` for the bundled classes, the API REST endpoint `/api-browser/.*` would allow path traversal to allow reading files on the server's filesystem. For example, when starting graylog-server like: /usr/local/openjdk-8/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -cp /usr/share/graylog:/usr/share/graylog/graylog.jar -Dlog4j.configurationFile=/usr/share/graylog/data/config/log4j2.xml -Djava.library.path=/usr/share/graylog/lib/sigar/ -Dgraylog2.installation_source=docker org.graylog2.bootstrap.Main server -f /usr/share/graylog/data/config/graylog.conf The use of `-cp /usr/share/graylog:/usr/share/graylog/graylog.jar` triggers the vulnerability. The check for `..` elements in the resulting file path for documentation resources is performed too early in the resolution process. As a result, an attacker can craft a URL that can contain `..` elements and thus read files the server process has access to. Note: This vulnerability does not apply to the standard installation methods. How to fix Directory Traversal? Upgrade `org.graylog2:graylog2-server` to version 4.0.0-beta.1 or higher.	[0,4.0.0-beta.1)
H Improper Certificate Validation org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Improper Certificate Validation. It accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks. How to fix Improper Certificate Validation? Upgrade `org.graylog2:graylog2-server` to version 3.3.3 or higher.	[0,3.3.3)
M Cross-site Scripting (XSS) org.graylog2:graylog2-server is an open source log management. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to not escaping text in notifications. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 2.4.4 or higher.	[,2.4.4)
M Cross-site Scripting (XSS) org.graylog2:graylog2-server is an open source log management. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to unescaped text in dashboard names. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 2.4.4 or higher.	[,2.4.4)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the plugins and API Browser. An attacker with the FILES_CREATE permission can upload and execute arbitrary Javascript, leading to unauthorized actions performed with the permissions of the logged-in user.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 6.2.0 or higher.

[,6.2.0)

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Event Definition Remediation Step field. An attacker can obtain user session cookies by submitting an HTML form.

Note:

This is only exploitable if the attacker has a user account with permissions to create event definitions, and the victim must have permissions to view alerts. Additionally, an active Input capable of receiving form data must be present on the server.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 6.0.14, 6.1.10 or higher.

[,6.0.14)[6.1.0,6.1.10)

Insecure Randomness

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Insecure Randomness such that an external attacker could inject forged DNS responses into a Graylog's lookup table cache. Graylog seems to bind a single socket for outgoing DNS queries. That socket is bound to a random port number which is not changed again.

How to fix Insecure Randomness?

Upgrade org.graylog2:graylog2-server to version 5.0.9, 5.1.3 or higher.

[,5.0.9)[5.1.0,5.1.3)

Directory Traversal

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Directory Traversal. When starting Graylog with the JVM -cp classpath options, instead of using the default -jar for the bundled classes, the API REST endpoint /api-browser/.* would allow path traversal to allow reading files on the server's filesystem.

For example, when starting graylog-server like:

/usr/local/openjdk-8/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -cp /usr/share/graylog:/usr/share/graylog/graylog.jar -Dlog4j.configurationFile=/usr/share/graylog/data/config/log4j2.xml -Djava.library.path=/usr/share/graylog/lib/sigar/ -Dgraylog2.installation_source=docker org.graylog2.bootstrap.Main server -f /usr/share/graylog/data/config/graylog.conf

The use of -cp /usr/share/graylog:/usr/share/graylog/graylog.jar triggers the vulnerability.

The check for .. elements in the resulting file path for documentation resources is performed too early in the resolution process. As a result, an attacker can craft a URL that can contain .. elements and thus read files the server process has access to.

Note: This vulnerability does not apply to the standard installation methods.

How to fix Directory Traversal?

Upgrade org.graylog2:graylog2-server to version 4.0.0-beta.1 or higher.

[0,4.0.0-beta.1)

Improper Certificate Validation

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Improper Certificate Validation. It accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks.

How to fix Improper Certificate Validation?

Upgrade org.graylog2:graylog2-server to version 3.3.3 or higher.

[0,3.3.3)

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is an open source log management.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to not escaping text in notifications.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 2.4.4 or higher.

[,2.4.4)

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is an open source log management.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to unescaped text in dashboard names.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 2.4.4 or higher.

[,2.4.4)

org.graylog2:graylog2-server@0.21.0-beta4 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?