Maven package
org.graylog2/graylog2-server
pkg:maven/org.graylog2/graylog2-server
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-53106 | — | >= 6.2.0, < 6.2.4 | 6.2.4 | Jul 2, 2025 | Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user know | ||
| CVE-2025-46827 | — | < 6.0.14 | 6.0.14 | May 7, 2025 | Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user a | ||
| CVE-2025-30373 | — | >= 6.1.0, < 6.1.9 | 6.1.9 | Apr 7, 2025 | Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value | ||
| CVE-2024-24824 | — | >= 2.0.0, < 5.1.11 | 5.1.11 | Feb 7, 2024 | Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog's cluster config system uses full | ||
| CVE-2024-24823 | — | >= 4.3.0, < 5.1.11 | 5.1.11 | Feb 7, 2024 | Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session coul | ||
| CVE-2023-41045 | — | >= 5.1.0, < 5.1.3 | 5.1.3 | Aug 31, 2023 | Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recomme | ||
| CVE-2023-41044 | — | >= 5.1.0, < 5.1.3 | 5.1.3 | Aug 31, 2023 | Graylog is a free and open log management platform. A partial path traversal vulnerability exists in Graylog's `Support Bundle` feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Graylog's Support Bundle feature allows an attacker wit | ||
| CVE-2023-41041 | — | >= 1.0, < 5.0.9 | 5.0.9 | Aug 30, 2023 | Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions. U | ||
| CVE-2018-14380 | — | < 2.4.6 | 2.4.6 | Jul 18, 2018 | In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts. | ||
| CVE-2018-11651 | — | < 2.4.4 | 2.4.4 | Jun 1, 2018 | Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx. | ||
| CVE-2018-11650 | — | < 2.4.4 | 2.4.4 | Jun 1, 2018 | Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. |
- CVE-2025-53106Jul 2, 2025affected >= 6.2.0, < 6.2.4fixed 6.2.4
Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user know
- CVE-2025-46827May 7, 2025affected < 6.0.14fixed 6.0.14
Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user a
- CVE-2025-30373Apr 7, 2025affected >= 6.1.0, < 6.1.9fixed 6.1.9
Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value
- CVE-2024-24824Feb 7, 2024affected >= 2.0.0, < 5.1.11fixed 5.1.11
Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog's cluster config system uses full
- CVE-2024-24823Feb 7, 2024affected >= 4.3.0, < 5.1.11fixed 5.1.11
Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session coul
- CVE-2023-41045Aug 31, 2023affected >= 5.1.0, < 5.1.3fixed 5.1.3
Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recomme
- CVE-2023-41044Aug 31, 2023affected >= 5.1.0, < 5.1.3fixed 5.1.3
Graylog is a free and open log management platform. A partial path traversal vulnerability exists in Graylog's `Support Bundle` feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Graylog's Support Bundle feature allows an attacker wit
- CVE-2023-41041Aug 30, 2023affected >= 1.0, < 5.0.9fixed 5.0.9
Graylog is a free and open log management platform. In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Each node maintains an in-memory cache of user sessions. U
- CVE-2018-14380Jul 18, 2018affected < 2.4.6fixed 2.4.6
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
- CVE-2018-11651Jun 1, 2018affected < 2.4.4fixed 2.4.4
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.
- CVE-2018-11650Jun 1, 2018affected < 2.4.4fixed 2.4.4
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.