Improper access control in Graylog - CVE-2024-24824
Published: February 7, 2024 / Updated: June 25, 2026
Vulnerability identifier: #VU135306
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-24824
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Graylog
Affected software:
Graylog
Graylog
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code and disclose sensitive information.
The vulnerability exists due to improper access control in the /api/system/cluster_config/ endpoint when handling crafted HTTP PUT requests that specify fully qualified class names. A remote user can send a specially crafted request to execute arbitrary code and disclose sensitive information.
Exploitation requires permissions to create and edit cluster configuration entries, and the information disclosure example relies on instantiating java.io.File.
How to mitigate CVE-2024-24824
Install security update from vendor's website.