An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wNmdnLTVoZjQtNHJnas4AA5JN

Graylog vulnerable to instantiation of arbitrary classes triggered by API request


Arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/cluster_config/ endpoint.


Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader.


A request of the following form will output the content of the /etc/passwd file:

curl -u admin:<admin-password> -X PUT http://localhost:9000/api/system/cluster_config/ \
    -H "Content-Type: application/json" \
    -H "X-Requested-By: poc" \
    -d '"/etc/passwd"'

To perform the request, authorization is required. Only users posessing the clusterconfigentry:create and clusterconfigentry:edit permissions are allowed to do so. These permissions are usually only granted to Admin users.


If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated.

This will execute arbitrary code that is run during class instantiation.

In the specific use case of, the behaviour of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request.


Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 23 days ago
Updated: 23 days ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-p6gg-5hf4-4rgj, CVE-2024-24824

Affected Packages

Versions: >= 5.2.0-alpha.1, < 5.2.4, >= 2.0.0, < 5.1.11
Fixed in: 5.2.4, 5.1.11