A partial path traversal vulnerability exists in Graylog’s [Support Bundle](https://go2docs.graylog.org/5-1/making_sense_of_your_log_data/cluster_support_bundle.htm) feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource.

Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information.

### Impact

Graylog’s Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory.

The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `/support-bundle`.

Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name.

The vulnerability would allow the download or deletion of files in the following example directories.

– `/var/lib/graylog-server/support-bundle-test`
– `/var/lib/graylog-server/support-bundlesdirectory`

For the [Graylog](https://hub.docker.com/r/graylog/graylog) and [Graylog Enterprise](https://hub.docker.com/r/graylog/graylog-enterprise) Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default.

### Patches

The vulnerability is fixed in Graylog version 5.1.3 and later.

### Workarounds

Block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog.

– `GET /api/system/debug/support/bundle/download/{filename}`
– `DELETE /api/system/debug/support/bundle/{filename}`Read More