Arbitrary Class Loading Vulnerability in Graylog's Cluster Config System
CVE-2024-24824

8.8HIGH

Key Information:

Vendor: Graylog2
Status: Graylog2-server
Vendor: CVE Published:; 7 February 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 34%

What is CVE-2024-24824?

Graylog, a widely used open-source log management platform, is susceptible to a vulnerability that enables the loading and instantiation of arbitrary classes. This issue arises from the handling of HTTP PUT requests to the /api/system/cluster_config/ endpoint, where the system permits the submission of fully qualified class names as configuration keys. If executed by an authorized user, this vulnerability can lead to code execution during class instantiation, facilitating potential data exposure. Notably, when the java.io.File class is used, the internal web-server's response could inadvertently reveal sensitive file content. Resolutions for this flaw were incorporated in Graylog versions 5.1.11 and 5.2.4.

Affected Version(s)

graylog2-server >= 2.0.0, < 5.1.11 < 2.0.0, 5.1.11

graylog2-server >= 5.2.0, < 5.2.4 < 5.2.0, 5.2.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

graylog-cve-2024-24824-exploit
Created by rootkiTED