CVE-2023-41044

LOW3.3EPSS 0.29%

Graylog server has partial path traversal vulnerability in Support Bundle feature

發布日:2023/7/6修改日:2024/2/16

描述

A partial path traversal vulnerability exists in Graylog's [Support Bundle](https://go2docs.graylog.org/5-1/making_sense_of_your_log_data/cluster_support_bundle.htm) feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. ### Impact Graylog's Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory. The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `<data_dir>/support-bundle`. Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name. The vulnerability would allow the download or deletion of files in the following example directories. - `/var/lib/graylog-server/support-bundle-test` - `/var/lib/graylog-server/support-bundlesdirectory` For the [Graylog](https://hub.docker.com/r/graylog/graylog) and [Graylog Enterprise](https://hub.docker.com/r/graylog/graylog-enterprise) Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default. ### Patches The vulnerability is fixed in Graylog version 5.1.3 and later. ### Workarounds Block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog. - `GET /api/system/debug/support/bundle/download/{filename}` - `DELETE /api/system/debug/support/bundle/{filename}`

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1LOW3.3CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

參考連結(5)