org.graylog2:graylog2-server@1.3.0-beta.1 vulnerabilities
-
latest version
6.1.2
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
23 days ago
-
licenses detected
- [0.20.0-rc.1-1,4.0.0)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.graylog2:graylog2-server package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Insecure Randomness such that an external attacker could inject forged DNS responses into a Graylog's lookup table cache. Graylog seems to bind a single socket for outgoing DNS queries. That socket is bound to a random port number which is not changed again. How to fix Insecure Randomness? Upgrade |
[,5.0.9)
[5.1.0,5.1.3)
|
org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Insufficient Session Expiration such that in a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out. How to fix Insufficient Session Expiration? Upgrade |
[1.0,5.0.9)
[5.1.0,5.1.3)
|
org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Directory Traversal. When starting Graylog with the JVM For example, when starting graylog-server like:
The use of The check for Note: This vulnerability does not apply to the standard installation methods. How to fix Directory Traversal? Upgrade |
[0,4.0.0-beta.1)
|
org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Improper Certificate Validation. It accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks. How to fix Improper Certificate Validation? Upgrade |
[0,3.3.3)
|
org.graylog2:graylog2-server is an open source log management. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to not escaping text in notifications. How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.4.4)
|
org.graylog2:graylog2-server is an open source log management. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to unescaped text in dashboard names. How to fix Cross-site Scripting (XSS)? Upgrade |
[,2.4.4)
|