CVE-2024-24823: 
Java vulnerability analysis and mitigation

Graylog, a free and open log management platform, disclosed a session fixation vulnerability (CVE-2024-24823) affecting versions from 4.3.0 to versions prior to 5.1.11 and 5.2.4. The vulnerability was discovered when it was found that reauthenticating with an existing session cookie would re-use that session ID, even if different user credentials were provided (Vendor Advisory).

The vulnerability stems from a session handling flaw where the system would reuse existing session IDs during reauthentication attempts. This could allow a pre-existing session to be used for gaining elevated access to an existing Graylog login session. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with high attack complexity (NVD).

If successfully exploited, the vulnerability could allow an attacker to gain elevated access to an existing Graylog login session. However, this would require the malicious user to successfully inject their session cookie into someone else's browser, potentially through a cross-site scripting attack (Vendor Advisory).

The vulnerability has been patched in Graylog versions 5.1.11 and 5.2.4, which contain fixes to prevent session reuse under any circumstances. For unpatched systems, workarounds include using short session expiration times and explicit logouts of unused sessions. Additionally, a proxy can be configured to clear the 'authentication' cookie for the Graylog server URL specifically for the '/api/system/sessions' endpoint (Vendor Advisory).