Main Vulnerability Database SB2024111862

SB2024111862 - Improper access control in Graylog

Published: November 18, 2024 Updated: June 25, 2026

Security Bulletin ID SB2024111862

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2024-52506)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the reporting functionality when processing multiple concurrent report rendering requests. A remote user can trigger concurrent report rendering requests to disclose sensitive information.

The issue occurs when report renderings are requested at the same start time and the headless browser instance is reused, which can cause one user's report to be returned to another authorized user.

Remediation

Install update from vendor's website.

References

https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-vggm-3478-vm5m