CVE-2024-52506 in Serverinfo

Summary

by MITRE • 11/18/2024

Graylog is a free and open log management platform. The reporting functionality in Graylog allows the creation and scheduling of reports which contain dashboard widgets displaying individual log messages or metrics aggregated from fields of multiple log messages. This functionality, as included in Graylog 6.1.0 & 6.1.1, is vulnerable to information leakage triggered by multiple concurrent report rendering requests from authorized users. When multiple report renderings are requested at the same start time, the headless browser instance used to render the PDF will be reused. Depending on the timing, either a check for the browser instance "freshness" hits, resulting in an error instead of the report being returned, or one of the concurrent report rendering requests "wins" and this report is returned for all report rendering requests that do not return an error. This might lead to one user getting the report of a different user, potentially leaking indexed log messages or aggregated data that this user normally has no access to. This problem is fixed in Graylog 6.1.2. There is no known workaround besides disabling the reporting functionality.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/24/2025

The vulnerability CVE-2024-52506 affects Graylog 6.1.0 and 6.1.1, specifically targeting the reporting functionality that enables users to create and schedule reports containing dashboard widgets with log messages or aggregated metrics. This issue represents a critical information disclosure vulnerability that arises from improper handling of concurrent report rendering requests within the platform's headless browser implementation. The flaw occurs when multiple authorized users simultaneously request report generation at identical start times, creating a race condition scenario that compromises data isolation between users.

The technical implementation flaw stems from the reuse of headless browser instances for PDF rendering operations without proper synchronization mechanisms to prevent concurrent access conflicts. When multiple requests arrive simultaneously, the system attempts to validate browser instance freshness, but this validation process creates unpredictable outcomes where either an error is returned or one request's results are erroneously served to all concurrent requests. This behavior directly violates fundamental security principles of access control and data segregation, as the system fails to maintain proper user boundaries during report generation operations. The vulnerability is classified as a CWE-200 Information Exposure and aligns with ATT&CK technique T1070.004 Indicator Removal on Host, as it enables unauthorized data access through compromised report generation mechanisms.

The operational impact of this vulnerability extends beyond simple data leakage to represent a significant compromise of Graylog's user access controls and data confidentiality. An attacker with authorized access can potentially obtain sensitive log data or aggregated metrics that belong to other users, creating a scenario where one user's report content is returned to multiple concurrent requestors. This information disclosure could expose system vulnerabilities, user activities, or sensitive operational data that should remain isolated between different user accounts. The vulnerability affects all users with reporting privileges and can be exploited without requiring elevated permissions beyond standard user access levels. Organizations relying on Graylog for security monitoring or compliance reporting face potential regulatory violations and security breaches through this mechanism.

Mitigation strategies for CVE-2024-52506 require immediate deployment of Graylog 6.1.2, which contains the necessary fixes to address the concurrent report rendering race condition. The vulnerability cannot be effectively mitigated through configuration changes or workarounds, as the issue resides in the core rendering engine's handling of browser instances during concurrent operations. Organizations should also implement monitoring for unusual concurrent report requests and consider temporarily disabling reporting functionality if immediate patching is not possible. The fix addresses the root cause by implementing proper synchronization mechanisms for headless browser instance management and ensuring that each report generation request receives isolated processing resources. Security teams should review access controls and user permissions to minimize potential impact if exploitation occurs before patch deployment, while also conducting thorough testing of the updated version to ensure no regression issues affect other reporting functionality.

Responsible

GitHub M

Reservation

11/11/2024

Disclosure

11/18/2024

Moderation

accepted

CPE

ready

EPSS

0.00624

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!