Graylog2-server: user detail leak via api request
Expected Behavior
Only Administrative Users should be able to retreive the user Information of other users from the API.
Current Behavior
When the username is known (or guessed) every user can get details about every user.
# http -a hulle GET https://nuci3.local.lan/graylog/api/users/Nobody
http: password for [email protected]:
HTTP/1.1 200 OK
{
"client_address": null,
"email": "[email protected]",
"external": false,
"full_name": "I. M. Nobody",
"id": "5af475b28c4d850001c17cb2",
"last_activity": null,
"permissions": [],
"preferences": {
"enableSmartSearch": true,
"updateUnfocussed": false
},
"read_only": false,
"roles": [
"Reader",
"Default - No Access"
],
"session_active": false,
"session_timeout_ms": 300000,
"startpage": null,
"timezone": "America/Chicago",
"username": "Nobody"
}
Possible Solution
Make the user details only available for the user themself and the Admin.
Context
When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.
This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.
Your Environment
- Graylog Version: 2.4.5
jalogisch
All 2 comments
The DeLorean will be useful to fix this bug :
eduault
on 7 Sep 2018
This bug has been fixed in #5079 and the fix will be in the upcoming 2.5 release.
bernd
on 23 Nov 2018
Related issues
deanilenko
路
3Comments
bernd
路
3Comments
jalogisch
路
4Comments
mhaasEFD
路
4Comments
mikkolehtisalo
路
4Comments
Most helpful comment
The DeLorean will be useful to fix this bug :
