Insufficient Session Expiration Affecting org.graylog2:graylog2-server package, versions [1.0,5.0.9) [5.1.0,5.1.3)


Severity

0.0
medium
0
10

    Threat Intelligence

    EPSS
    0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGGRAYLOG2-5759290
  • published 7 Jul 2023
  • disclosed 6 Jul 2023
  • credit thll

How to fix?

Upgrade org.graylog2:graylog2-server to version 5.0.9, 5.1.3 or higher.

Overview

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Insufficient Session Expiration such that in a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.

PoC

In a 2-node setup, with both nodes behind a load balancer:

  1. Log in

  2. Extract the session ID from the cookie

  3. Log out and close the browser

  4. Perform the following API request repeatedly with curl (with <session-id> replaced with the session id from step 2 and <lb-host> replaced with the hostname of your load balancer):

curl -I -H X-Graylog-No-Session-Extension:true https://<session-id>:session@<lb-host>/api/system/cluster/nodes

  1. Notice that the request is sometimes rejected, but sometimes succeeds

CVSS Scores

version 3.1
Expand this section

Snyk

5.4 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

3.1 low