org.graylog2:graylog2-server 6.1.8 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.graylog2:graylog2-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the plugins and API Browser. An attacker with the `FILES_CREATE` permission can upload and execute arbitrary Javascript, leading to unauthorized actions performed with the permissions of the logged-in user. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 6.2.0 or higher.	[,6.2.0)
H Cross-site Scripting (XSS) org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `Event Definition Remediation Step` field. An attacker can obtain user session cookies by submitting an HTML form. Note: This is only exploitable if the attacker has a user account with permissions to create event definitions, and the victim must have permissions to view alerts. Additionally, an active Input capable of receiving form data must be present on the server. How to fix Cross-site Scripting (XSS)? Upgrade `org.graylog2:graylog2-server` to version 6.0.14, 6.1.10 or higher.	[,6.0.14)[6.1.0,6.1.10)
M Authentication Bypass Using an Alternate Path or Channel org.graylog2:graylog2-server is a log management platform. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the `channelRead0()` function. An attacker can bypass authentication by sending HTTP requests without required Authorization headers or with incorrect values. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.graylog2:graylog2-server` to version 6.1.9 or higher.	[6.1.0,6.1.9)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the plugins and API Browser. An attacker with the FILES_CREATE permission can upload and execute arbitrary Javascript, leading to unauthorized actions performed with the permissions of the logged-in user.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 6.2.0 or higher.

[,6.2.0)

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Event Definition Remediation Step field. An attacker can obtain user session cookies by submitting an HTML form.

Note:

This is only exploitable if the attacker has a user account with permissions to create event definitions, and the victim must have permissions to view alerts. Additionally, an active Input capable of receiving form data must be present on the server.

How to fix Cross-site Scripting (XSS)?

Upgrade org.graylog2:graylog2-server to version 6.0.14, 6.1.10 or higher.

[,6.0.14)[6.1.0,6.1.10)

Authentication Bypass Using an Alternate Path or Channel

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the channelRead0() function. An attacker can bypass authentication by sending HTTP requests without required Authorization headers or with incorrect values.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.graylog2:graylog2-server to version 6.1.9 or higher.

[6.1.0,6.1.9)

org.graylog2:graylog2-server@6.1.8 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically