org.graylog2:graylog2-server@5.2.0-rc.2 vulnerabilities

latest version

5.2.7
latest non vulnerable version

5.2.7
first published

10 years ago
latest version published

6 days ago
licenses detected
- SSPL-1.0
  [4.0.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.graylog2:graylog2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Session Fixation org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Session Fixation due to the improper handling of session cookies. An attacker can gain elevated access to an existing login session by injecting their session cookie into another user's browser. This attack requires presenting a spoofed login screen and injecting a session cookie, which is complex and has not been observed in the wild. How to fix Session Fixation? Upgrade `org.graylog2:graylog2-server` to version 5.1.11, 5.2.4 or higher.	[4.3.0,5.1.11) [5.2.0-alpha.1,5.2.4)
H Improper Access Control org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Improper Access Control via the `/api/system/cluster_config/` endpoint. An attacker can execute arbitrary code that is run during class instantiation by sending a specially crafted HTTP PUT request. Note: This is only exploitable if the attacker possesses the `clusterconfigentry:create` and `clusterconfigentry:edit` permissions, which are typically only granted to `Admin` users. How to fix Improper Access Control? Upgrade `org.graylog2:graylog2-server` to version 5.1.11, 5.2.4 or higher.	[2.0.0,5.1.11) [5.2.0-alpha.1,5.2.4)

Session Fixation

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Session Fixation due to the improper handling of session cookies. An attacker can gain elevated access to an existing login session by injecting their session cookie into another user's browser. This attack requires presenting a spoofed login screen and injecting a session cookie, which is complex and has not been observed in the wild.

How to fix Session Fixation?

Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.

[4.3.0,5.1.11) [5.2.0-alpha.1,5.2.4)

Improper Access Control

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Improper Access Control via the /api/system/cluster_config/ endpoint. An attacker can execute arbitrary code that is run during class instantiation by sending a specially crafted HTTP PUT request.

Note:

This is only exploitable if the attacker possesses the clusterconfigentry:create and clusterconfigentry:edit permissions, which are typically only granted to Admin users.

How to fix Improper Access Control?

Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.

[2.0.0,5.1.11) [5.2.0-alpha.1,5.2.4)

Go back to all versions of this package

org.graylog2:graylog2-server@5.2.0-rc.2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities