SB2023070546 - Multiple vulnerabilities in Graylog

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023070546

SB2023070546 - Multiple vulnerabilities in Graylog

Published: July 5, 2023 Updated: June 25, 2026

Security Bulletin ID SB2023070546
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Insufficient Session Expiration (CVE-ID: CVE-2023-41041)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to continue using a logged-out session to perform API requests.

The vulnerability exists due to insufficient session expiration in the session handling logic of multi-node Graylog clusters when processing API requests with the X-Graylog-No-Session-Extension:true header after logout. A remote user can send crafted API requests using a previously valid session identifier to continue using a logged-out session to perform API requests.

Only multi-node cluster deployments are affected, and the session remains usable until its original timeout expires.


2) Path Traversal: \'../filedir\' (CVE-ID: CVE-2023-41044)

CWE-ID: CWE-24 - Path Traversal: \'../filedir\'

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information or delete files.

The vulnerability exists due to path traversal in the Support Bundle HTTP API resource when handling crafted filename parameters. A remote user can send a specially crafted request to disclose sensitive information or delete files.

Exploitation requires valid Admin role credentials and is limited to sibling directories whose names begin with the support bundle directory path.


3) Origin validation error (CVE-ID: CVE-2023-41045)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to poison Graylog's DNS lookup cache.

The vulnerability exists due to improper source port usage in the DNS lookup functionality when sending DNS queries. A remote attacker can inject forged DNS responses to poison Graylog's DNS lookup cache.

Exploitation is described as unlikely in many setups.


Remediation

Install update from vendor's website.

References