CVE-2021-37759: 
NixOS vulnerability analysis and mitigation

A Session ID leak vulnerability was discovered in Graylog before version 4.1.2, tracked as CVE-2021-37759. The vulnerability affects the DEBUG log file and allows attackers to escalate privileges to the access level of the leaked session ID. The issue has been present since Graylog v0.20.0 for local DEBUG log file leaks and since v2.1.1 for audit log leaks (Vendor Advisory).

The vulnerability stems from session IDs being exposed in two locations: the DEBUG log file (which is not enabled by default) and the Graylog Enterprise Audit Log. When exploited, an attacker can obtain and use these leaked session IDs to authenticate against Graylog, gaining all permissions associated with the owner of the session ID. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to take over valid session IDs and authenticate against Graylog with elevated privileges. Once authenticated, the attacker gains access to all permissions associated with the original session ID owner, potentially leading to unauthorized access to sensitive data and system controls (Vendor Advisory).

The vulnerability was patched in Graylog v4.1.2. Upon updating to the new version, Graylog automatically invalidates all open sessions. For users unable to upgrade immediately, the workaround involves manually deleting each open session from MongoDB. It is strongly recommended that all users upgrade to the patched version as soon as possible (Vendor Advisory).

The vulnerability was responsibly disclosed by David Herbstmann on July 26, 2021. Graylog confirmed the vulnerability the same day and quickly developed a patch, making the release available to the public by July 30, 2021 (Vendor Advisory).