Skip to content

/ graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user detail leak via api request #5068

Closed
jalogisch opened this issue Sep 5, 2018 · 2 comments
Closed

user detail leak via api request #5068

jalogisch opened this issue Sep 5, 2018 · 2 comments
Assignees
@bernd
Labels
bug security triaged
Milestone
2.5.0

Comments

@jalogisch
Copy link
Contributor

@jalogisch jalogisch commented Sep 5, 2018

Expected Behavior

Only Administrative Users should be able to retreive the user Information of other users from the API.

Current Behavior

When the username is known (or guessed) every user can get details about every user.

# http -a hulle GET https://nuci3.local.lan/graylog/api/users/Nobody
http: password for hulle@nuci3.local.lan:
HTTP/1.1 200 OK

{
    "client_address": null,
    "email": "imnobody@graylog.com",
    "external": false,
    "full_name": "I. M. Nobody",
    "id": "5af475b28c4d850001c17cb2",
    "last_activity": null,
    "permissions": [],
    "preferences": {
        "enableSmartSearch": true,
        "updateUnfocussed": false
    },
    "read_only": false,
    "roles": [
        "Reader",
        "Default - No Access"
    ],
    "session_active": false,
    "session_timeout_ms": 300000,
    "startpage": null,
    "timezone": "America/Chicago",
    "username": "Nobody"
}

Possible Solution

Make the user details only available for the user themself and the Admin.

Context

When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.

This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.

Your Environment

  • Graylog Version: 2.4.5
@radykal-com radykal-com mentioned this issue Sep 6, 2018
Merged
4 of 9 tasks complete
@eduault
Copy link

@eduault eduault commented Sep 7, 2018
edited

The DeLorean will be useful to fix this bug :
image
@bernd bernd added this to the 2.5.0 milestone Oct 8, 2018
@bernd bernd self-assigned this Nov 22, 2018
@bernd bernd closed this in #5079 Nov 23, 2018
bernd added a commit that referenced this issue Nov 23, 2018
@radykal-com @bernd
Limit user details to self and admins in API (#5079)
6d80b74 
Fixes #5068
@bernd
Copy link
Member

@bernd bernd commented Nov 23, 2018

This bug has been fixed in #5079 and the fix will be in the upcoming 2.5 release.
bernd added a commit that referenced this issue Nov 23, 2018
@radykal-com @bernd
Limit user details to self and admins in API (#5079)
Loading status checks…
9794d77 
Fixes #5068

(cherry picked from commit 6d80b74)
@bernd bernd mentioned this issue Nov 23, 2018
Merged
edmundoa added a commit that referenced this issue Nov 23, 2018
@bernd @edmundoa
Limit user details to self and admins in API (#5079) (#5308)
754b0d5 
* Limit user details to self and admins in API (#5079)

Fixes #5068

(cherry picked from commit 6d80b74)

* Fix missing import
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bernd bernd

Labels
bug security triaged
Projects
None yet
Milestone
2.5.0
Linked pull requests

Successfully merging a pull request may close this issue.

Limit user details to self and admins in API
4 participants
@bernd @dennisoelkers @jalogisch @eduault