Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-24823

Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Graylog 5.1.11 and 5.2.4, and any versions of the 6.0 development branch, contain patches to not re-use sessions under any circumstances. Some workarounds are available. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. Unpatched this vulnerability exists, but is relatively hard to exploit. A proxy could be leveraged to clear the `authentication` cookie for the Graylog server URL for the `/api/system/sessions` endpoint, as that is the only one vulnerable.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.7, indicating it can be exploited remotely over the network but requires specific conditions to be met though user interaction is required . The vulnerability impacts confidentiality (data exposure), integrity (unauthorized modifications), for affected systems. Impacting 1 product from graylog organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2024, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2024-02-07T18:15:54.870

Last Modified

2024-11-21T08:59:47.483

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.7 (MEDIUM)

Weaknesses

Type: Secondary
CWE-384

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	graylog	graylog	< 5.1.11	Yes
Application	graylog	graylog	< 5.2.4	Yes

References

https://github.com/Graylog2/graylog2-server/commit/1596b749db86368ba476662f23a0f0c5ec2b5097 Patch ([email protected])
https://github.com/Graylog2/graylog2-server/commit/b93a66353f35a94a4e8f3f75ac4f5cdc5a2d4a6a Patch ([email protected])
https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh Vendor Advisory ([email protected])
https://github.com/Graylog2/graylog2-server/commit/1596b749db86368ba476662f23a0f0c5ec2b5097 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Graylog2/graylog2-server/commit/b93a66353f35a94a4e8f3f75ac4f5cdc5a2d4a6a Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For graylog's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.