Graylog Privilege Escalation Vulnerability via API Tokens

A privilege escalation vulnerability has been identified in Graylog, a log management platform, affecting versions 6.2.0 prior to 6.2.4 and 6.3.0-alpha.1 prior to 6.3.0-rc.2. The vulnerability allows users to create API tokens for the local Administrator or any other user, provided the user ID is known. This exploitation takes advantage of a weak permission check in the token creation process. To successfully exploit this vulnerability, an attacker must have a user account in Graylog.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation by enabling users to create API tokens with elevated rights, such as those of the local Administrator.

Reproduction

To reproduce this vulnerability, a user account in Graylog is required. Once logged in, the user can send requests to the Graylog REST API to create tokens for other users, including the Administrator, by exploiting the inadequate permission checks in place.

Remediation

Users can upgrade to Graylog versions 6.2.4 or 6.3.0-rc.2, where this vulnerability has been patched. After upgrading, it is recommended to review the API tokens in the Token Management section to ensure they are all accounted for and necessary. Graylog Enterprise users should check the Audit Log for any token creation actions during the period the vulnerability was present.