Graylog WebUI: Auth Tokens Not Revoked (Historical Finding)
- Author: skull
- First reported: Approx. 2024 (date uncertain, estimated year)
- CVE: None assigned
- Status: Historical; exact details lost; not retested
Overview
I discovered that Graylog WebUI authentication/session tokens were not properly revoked after changing the timelimit on session tokens.
This could potentially allow session hijacking if tokens were leaked.
Note: This report is based on recollection; full technical details and affected versions are unfortunately lost due to time elapsed and lack of documentation.
What I Remember
- The issue was identified during testing of Graylog WebUI.
- Session/auth tokens remained valid after changing the timelimit on session tokens.
- This could allow persistent access for anyone with a stolen or pregenerated token.
What’s Missing
- Exact Graylog version affected
- Reproducible proof-of-concept or exploit script
- Exact disclosure timeline and vendor response
- Screenshots or logs from the time
Impact (Estimated)
- Session hijacking
- Persistent unauthorized access
Why Publish This Now?
Although I no longer have all details, I believe it is important to document this issue for the record, and as a warning to those running legacy Graylog instances.
If you have information or can reproduce the issue, please reach out or contribute details.
Responsible Disclosure
The issue was reported internally to my team leader at the time.
I do not have confirmation whether it was ever reported upstream or if a fix was applied.