CVE-2025-30373

Medium CVSS: 6.5

Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9.

Vendor

Graylog

Product

Graylog

CWE

CWE-285

Yayın Tarihi

2025-04-07 15:15:43

Güncelleme

2025-10-30 18:54:24

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-285 Graylog MEDIUM Graylog 2025

Referanslar

https://github.com/Graylog2/graylog2-server/commit/31bc13d3cd6f550ec83473d0f8666cd3ebf50f10 https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx

Benzer Kayıtlar

Medium

CVE-2026-1438

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1439

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1440

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1441

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Critical

CVE-2026-1435

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of s…

High

CVE-2026-1436

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An…