A partial path traversal vulnerability exists in Graylog’s [Support Bundle](https://go2docs.graylog.org/5-1/making_sense_of_your_log_data/cluster_support_bundle.htm) feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource.
Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information.
### Impact
Graylog’s Support Bundle feature allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory.
The default `data_dir` in operating system packages (DEB, RPM) is set to `/var/lib/graylog-server`. The data directory for the Support Bundle feature is always `/support-bundle`.
Due to the partial path traversal vulnerability, an attacker with valid Admin role credentials can read or delete files in directories that start with a `/var/lib/graylog-server/support-bundle` directory name.
The vulnerability would allow the download or deletion of files in the following example directories.
– `/var/lib/graylog-server/support-bundle-test`
– `/var/lib/graylog-server/support-bundlesdirectory`
For the [Graylog](https://hub.docker.com/r/graylog/graylog) and [Graylog Enterprise](https://hub.docker.com/r/graylog/graylog-enterprise) Docker images, the `data_dir` is set to `/usr/share/graylog/data` by default.
### Patches
The vulnerability is fixed in Graylog version 5.1.3 and later.
### Workarounds
Block all HTTP requests to the following HTTP API endpoints by using a reverse proxy server in front of Graylog.
– `GET /api/system/debug/support/bundle/download/{filename}`
– `DELETE /api/system/debug/support/bundle/{filename}`Read More