CVE-2023-41044 in Graylog
Summary
by MITRE • 08/31/2023
Graylog is a free and open log management platform. A partial path traversal vulnerability exists in Graylog's `Support Bundle` feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Graylog's Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory. The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `/support-bundle`. Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name. The vulnerability would allow the download or deletion of files in the following example directories: `/var/lib/graylog-server/support-bundle-test` and `/var/lib/graylog-server/support-bundlesdirectory`. For the Graylog Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default. This vulnerability is fixed in Graylog version 5.1.3 and later. Users are advised to upgrade. Users unable to upgrade should block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog. `GET /api/system/debug/support/bundle/download/{filename}` and `DELETE /api/system/debug/support/bundle/{filename}`.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2023
The vulnerability CVE-2023-41044 represents a critical partial path traversal flaw within Graylog's Support Bundle feature, which operates as a free and open log management platform widely deployed in enterprise environments. This security weakness stems from inadequate input validation within an HTTP API resource that governs support bundle operations, creating a significant attack surface for malicious actors who possess valid administrative credentials. The vulnerability specifically targets the way Graylog handles file paths when processing support bundle requests, allowing attackers to manipulate directory traversal patterns despite the system's attempt to restrict operations to a designated support bundle directory.
The technical implementation of this vulnerability occurs because Graylog's path handling logic fails to properly sanitize user-provided input when constructing file paths for download or deletion operations. The default data directory for Graylog operating system packages is configured to `/var/lib/graylog-server`, with the support bundle directory specifically set to `/support-bundle` relative to this location. However, the flawed validation mechanism permits attackers to bypass the intended directory boundaries and access files in sibling directories that share the same prefix pattern. This partial path traversal allows exploitation of directories such as `/var/lib/graylog-server/support-bundle-test` or `/var/lib/graylog-server/support-bundlesdirectory` where the path traversal occurs at the beginning of the directory structure rather than completely bypassing all restrictions.
The operational impact of this vulnerability extends beyond simple data access, as it provides attackers with the capability to both download sensitive files and delete critical system components within the affected directory hierarchy. The implications are particularly severe in environments where Graylog serves as a central log management system, as attackers could potentially access configuration files, credential stores, or other sensitive artifacts stored in adjacent directories. This vulnerability aligns with CWE-22 Path Traversal and maps to ATT&CK technique T1078 Valid Accounts, as it leverages legitimate administrative credentials to perform unauthorized file operations. The attack vector requires only valid administrative access, making it particularly dangerous in environments where privilege escalation is not properly mitigated.
For organizations utilizing Graylog Docker images, the vulnerability presents an additional risk as the default data directory is set to `/usr/share/graylog/data`, which maintains the same traversal pattern vulnerabilities. The security community has identified this issue as requiring immediate attention, with Graylog version 5.1.3 and subsequent releases implementing proper input sanitization and path validation mechanisms to prevent the exploitation of this flaw. Organizations unable to upgrade immediately should implement defensive measures through reverse proxy configurations that block direct access to the vulnerable API endpoints, specifically targeting the GET `/api/system/debug/support/bundle/download/{filename}` and DELETE `/api/system/debug/support/bundle/{filename}` endpoints. This mitigation strategy effectively prevents exploitation by removing the direct attack surface while maintaining system functionality for legitimate administrative operations. The vulnerability demonstrates the importance of proper input validation in web applications and highlights the critical need for secure coding practices in API development, particularly when handling file system operations that could be leveraged for unauthorized access to sensitive system resources.