Session Fixation Affecting org.graylog2:graylog2-server package, versions [4.3.0,5.1.11) [5.2.0-alpha.1,5.2.4)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGGRAYLOG2-6231776
- published 8 Feb 2024
- disclosed 7 Feb 2024
- credit Fabian Yamaguchi
Introduced: 7 Feb 2024
CVE-2024-24823 Open this link in a new tabHow to fix?
Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.
Overview
org.graylog2:graylog2-server is a log management platform.
Affected versions of this package are vulnerable to Session Fixation due to the improper handling of session cookies. An attacker can gain elevated access to an existing login session by injecting their session cookie into another user's browser. This attack requires presenting a spoofed login screen and injecting a session cookie, which is complex and has not been observed in the wild.
Workaround
This vulnerability can be mitigated by using short session expiration times and explicitly logging out of unused sessions. Additionally, a proxy could be used to clear the authentication cookie for the Graylog server URL for the /api/system/sessions endpoint.