8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.5%
Arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/cluster_config/
endpoint.
Graylog’s cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader.
A request of the following form will output the content of the /etc/passwd
file:
curl -u admin:<admin-password> -X PUT http://localhost:9000/api/system/cluster_config/java.io.File \
-H "Content-Type: application/json" \
-H "X-Requested-By: poc" \
-d '"/etc/passwd"'
To perform the request, authorization is required. Only users posessing the clusterconfigentry:create
and clusterconfigentry:edit
permissions are allowed to do so. These permissions are usually only granted to Admin
users.
If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated.
This will execute arbitrary code that is run during class instantiation.
In the specific use case of java.io.File
, the behaviour of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request.
Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd
CPE | Name | Operator | Version |
---|---|---|---|
org.graylog2:graylog2-server | lt | 5.2.4 | |
org.graylog2:graylog2-server | ge | 2.0.0 | |
org.graylog2:graylog2-server | lt | 5.1.11 |
github.com/advisories/GHSA-p6gg-5hf4-4rgj
github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214
github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8
github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9
github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj
nvd.nist.gov/vuln/detail/CVE-2024-24824
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.5%