Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
oryginał ENCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XGraylog
APPGraylog2.2.3
Powiązane podatności
Graylog: brak unieważniania sesji po ponownym logowaniu (CWE-613)
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to th...
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the acc...
Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to bef...
Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possibl...