CVE-2023-41044
Graylog server has partial path traversal vulnerability in Support Bundle feature
Description
A partial path traversal vulnerability exists in Graylog's [Support Bundle](https://go2docs.graylog.org/5-1/making_sense_of_your_log_data/cluster_support_bundle.htm) feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. ### Impact Graylog's Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory. The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `<data_dir>/support-bundle`. Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name. The vulnerability would allow the download or deletion of files in the following example directories. - `/var/lib/graylog-server/support-bundle-test` - `/var/lib/graylog-server/support-bundlesdirectory` For the [Graylog](https://hub.docker.com/r/graylog/graylog) and [Graylog Enterprise](https://hub.docker.com/r/graylog/graylog-enterprise) Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default. ### Patches The vulnerability is fixed in Graylog version 5.1.3 and later. ### Workarounds Block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog. - `GET /api/system/debug/support/bundle/download/{filename}` - `DELETE /api/system/debug/support/bundle/{filename}`
How to fix CVE-2023-41044
To remediate CVE-2023-41044, upgrade the affected package to a fixed version below.
- —upgrade to 5.1.3 or later
Is CVE-2023-41044 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.