Lucene search

Veracode Vulnerability DatabaseVERACODE:45405

HistoryFeb 08, 2024 - 6:46 a.m.

Session Fixation

2024-02-0806:46:44

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

graylog

session fixation

authentication

vulnerability

token checks

elevated access

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.3%

JSON

org.graylog2:graylog2-server is vulnerable to Session Fixation. The vulnerability is due to missing token checks when authentication is performed with an existing session id. Pre-existing session can be used to gain elevated access to an existing session, provided the attacker is able to inject a session cookie into someone else’s browser.

CPENameOperatorVersion
graylogle5.1.10
graylogle5.2.3
graylogle5.1.10
graylogle5.2.3

Name	Operator	Version
graylog	le	5.1.10
graylog	le	5.2.3
graylog	le	5.1.10
graylog	le	5.2.3

References

github.com/advisories/GHSA-3xf8-g8gr-g7rh

github.com/Graylog2/graylog2-server/commit/1596b749db86368ba476662f23a0f0c5ec2b5097

github.com/Graylog2/graylog2-server/commit/b93a66353f35a94a4e8f3f75ac4f5cdc5a2d4a6a

github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.3%

JSON

Related for VERACODE:45405