CWE-117
AllowedImproper Output Neutralization for Logs
Abstraction: Base · Status: Draft
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
193 vulnerabilities reference this CWE, most recent first.
GHSA-8FXC-QM65-VPXG
Vulnerability from github – Published: 2021-06-08 19:23 – Updated: 2021-06-03 21:08In OpenStack Swift prior to 2.15.2, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "swift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-8761"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T21:08:32Z",
"nvd_published_at": "2021-06-02T14:15:00Z",
"severity": "LOW"
},
"details": "In OpenStack Swift prior to 2.15.2, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.",
"id": "GHSA-8fxc-qm65-vpxg",
"modified": "2021-06-03T21:08:32Z",
"published": "2021-06-08T19:23:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8761"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/swift/+bug/1685798/comments/18"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1685798"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Temporary urls leaked via logging"
}
GHSA-8G38-3M6V-232J
Vulnerability from github – Published: 2024-03-13 15:30 – Updated: 2024-03-13 22:28A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.
Patches
This has been fixed in the CKAN 2.9.11 and 2.10.4 versions
Workarounds
Override the /user/reset endpoint to filter the id parameter in order to exclude newlines
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ckan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ckan"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27097"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-13T15:30:03Z",
"nvd_published_at": "2024-03-13T21:15:58Z",
"severity": "MODERATE"
},
"details": "A user endpoint didn\u0027t perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format.\n\n### Patches\nThis has been fixed in the CKAN 2.9.11 and 2.10.4 versions\n\n### Workarounds\nOverride the `/user/reset` endpoint to filter the `id` parameter in order to exclude newlines\n\n",
"id": "GHSA-8g38-3m6v-232j",
"modified": "2024-03-13T22:28:40Z",
"published": "2024-03-13T15:30:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/security/advisories/GHSA-8g38-3m6v-232j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27097"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/5fa133e7e9019573066455b5d442e93c62b3fc93"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/81b56c55e5e3651d7fcf9642cd5a489a9b62212c"
},
{
"type": "WEB",
"url": "https://github.com/ckan/ckan/commit/d81f411bff2da7347c343a83e17f5814475b5b64"
},
{
"type": "WEB",
"url": "https://docs.ckan.org/en/2.10/changelog.html#v-2-10-4-2024-03-13"
},
{
"type": "PACKAGE",
"url": "https://github.com/ckan/ckan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Potential log injection in reset user endpoint in CKAN"
}
GHSA-8H38-QX4M-2F5R
Vulnerability from github – Published: 2025-01-07 12:31 – Updated: 2025-01-07 12:31IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3
could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization.
{
"affected": [],
"aliases": [
"CVE-2024-52891"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T12:15:25Z",
"severity": "MODERATE"
},
"details": "IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 \n\ncould allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization.",
"id": "GHSA-8h38-qx4m-2f5r",
"modified": "2025-01-07T12:31:02Z",
"published": "2025-01-07T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52891"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7180303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8Q9F-GMMQ-64WC
Vulnerability from github – Published: 2025-01-07 06:32 – Updated: 2025-01-07 06:32Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit log entries. Axis has released a patched version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-7696"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T06:15:17Z",
"severity": "MODERATE"
},
"details": "Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit log entries. \nAxis has released a patched version for the highlighted flaw. Please \nrefer to the Axis security advisory for more information and solution.",
"id": "GHSA-8q9f-gmmq-64wc",
"modified": "2025-01-07T06:32:16Z",
"published": "2025-01-07T06:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7696"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/b3/53/03/cve-2024-7696-en-US-459552.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8RHC-GWC6-W584
Vulnerability from github – Published: 2025-10-06 09:30 – Updated: 2025-10-06 09:30An API endpoint allows arbitrary log entries to be created via POST request. Without sufficient validation of the input data, an attacker can create manipulated log entries and thus falsify or dilute logs, for example.
{
"affected": [],
"aliases": [
"CVE-2025-58580"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-06T07:15:34Z",
"severity": "MODERATE"
},
"details": "An API endpoint allows arbitrary log entries to be created via POST request. Without sufficient validation of the input data, an attacker can create manipulated log entries and thus falsify or dilute logs, for example.",
"id": "GHSA-8rhc-gwc6-w584",
"modified": "2025-10-06T09:30:19Z",
"published": "2025-10-06T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58580"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
},
{
"type": "WEB",
"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8RRQ-WCG8-CV5Q
Vulnerability from github – Published: 2026-05-18 17:56 – Updated: 2026-06-09 10:57Summary
OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems.
Details
In pkg/ebpf/common/redis_detect_transform.go, getRedisError trims the raw error buffer and stores it directly in request.DBError.Description.
Later, pkg/appolly/app/request/span.go returns that description as the exported status message for Redis spans whenever the span status is non-zero.
There is no opt-in control or sanitization beyond CRLF trimming. As a result, raw Redis error text becomes part of OTLP-exported status metadata by default.
PoC
Local request-layer testing recorded a status message containing ERR invalid password for user bob secret=TOPSECRET, which shows that unfiltered Redis error text reaches the exported status message.
Use a vulnerable build:
git checkout v0.0.0-rc.1+build
make build
Start Redis and OBI:
docker run --rm -p 6379:6379 redis:7
sudo ./bin/obi
Send a command that causes Redis to return an error containing caller-supplied text:
redis-cli -p 6379 'NOTACMD my-secret-token-123'
Capture the exported span or inspect the local telemetry output. On a vulnerable build, the span status message contains the Redis error text, including the supplied command fragment. This demonstrates that raw Redis error text is exported into telemetry by default and that values embedded in that text, including data supplied unintentionally by a caller, can be carried into tracing systems.
Impact
This is an information disclosure and telemetry injection issue. It affects any deployment that traces Redis traffic and exports spans to collectors, logs, or dashboards. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/obi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45679"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:56:15Z",
"nvd_published_at": "2026-06-02T16:16:42Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nOBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems.\n\n### Details\n\nIn [pkg/ebpf/common/redis_detect_transform.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/components/ebpf/common/redis_detect_transform.go#L60-L74), `getRedisError` trims the raw error buffer and stores it directly in `request.DBError.Description`.\n\nLater, [pkg/appolly/app/request/span.go](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/4f35facce2fe611319672595838ab875490f404d/pkg/app/request/span.go#L347-L352) returns that description as the exported status message for Redis spans whenever the span status is non-zero.\n\nThere is no opt-in control or sanitization beyond CRLF trimming. As a result, raw Redis error text becomes part of OTLP-exported status metadata by default.\n\n### PoC\n\nLocal request-layer testing recorded a status message containing `ERR invalid password for user bob secret=TOPSECRET`, which shows that unfiltered Redis error text reaches the exported status message.\n\nUse a vulnerable build:\n\n```bash\ngit checkout v0.0.0-rc.1+build\nmake build\n```\n\nStart Redis and OBI:\n\n```bash\ndocker run --rm -p 6379:6379 redis:7\nsudo ./bin/obi\n```\n\nSend a command that causes Redis to return an error containing caller-supplied text:\n\n```bash\nredis-cli -p 6379 \u0027NOTACMD my-secret-token-123\u0027\n```\n\nCapture the exported span or inspect the local telemetry output. On a vulnerable build, the span status message contains the Redis error text, including the supplied command fragment. This demonstrates that raw Redis error text is exported into telemetry by default and that values embedded in that text, including data supplied unintentionally by a caller, can be carried into tracing systems.\n\n### Impact\n\nThis is an information disclosure and telemetry injection issue. It affects any deployment that traces Redis traffic and exports spans to collectors, logs, or dashboards. Sensitive values, tokens, or PII present in Redis error text can be exfiltrated into telemetry systems, and untrusted text can contaminate downstream analysis.",
"id": "GHSA-8rrq-wcg8-cv5q",
"modified": "2026-06-09T10:57:58Z",
"published": "2026-05-18T17:56:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-8rrq-wcg8-cv5q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45679"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages"
}
GHSA-939Q-9PXW-M29R
Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30IBM Maximo Application Suite 8.10.12, 8.11.0, 9.0.1, and 9.1.0 - Monitor Component does not neutralize output that is written to logs, which could allow an attacker to inject false log entries.
{
"affected": [],
"aliases": [
"CVE-2024-35150"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-25T15:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Application Suite 8.10.12, 8.11.0, 9.0.1, and 9.1.0 - Monitor Component does not neutralize output that is written to logs, which could allow an attacker to inject false log entries.",
"id": "GHSA-939q-9pxw-m29r",
"modified": "2025-01-25T15:30:31Z",
"published": "2025-01-25T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35150"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7180057"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-93V9-VQWF-HHCG
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
{
"affected": [],
"aliases": [
"CVE-2018-10932"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-119"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-21T18:29:00Z",
"severity": "MODERATE"
},
"details": "lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.",
"id": "GHSA-93v9-vqwf-hhcg",
"modified": "2022-05-13T01:34:53Z",
"published": "2022-05-13T01:34:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10932"
},
{
"type": "WEB",
"url": "https://github.com/intel/openlldp/pull/7"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:2339"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3673"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2018-10932"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1551623"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1614896"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10932"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-95FM-5HCH-CCGX
Vulnerability from github – Published: 2025-10-30 06:30 – Updated: 2025-10-30 06:30The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause denial of service via disk space exhaustion.
{
"affected": [],
"aliases": [
"CVE-2025-11627"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T06:15:43Z",
"severity": "MODERATE"
},
"details": "The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause denial of service via disk space exhaustion.",
"id": "GHSA-95fm-5hch-ccgx",
"modified": "2025-10-30T06:30:54Z",
"published": "2025-10-30T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11627"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/site-checkup/tags/1.47/includes/catch-errors/class_bill_catch_errors.php#L80"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3380169"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50251b17-58d7-4870-b825-a194312fb3e7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9H6H-9G78-86F7
Vulnerability from github – Published: 2022-12-29 01:50 – Updated: 2022-12-29 01:50Impact
If you make use of the report receiver server (experimental), a client may be able to forge requests such that arbitrary files on the host can be overwritten (subject to permissions of the yapscan server), leading to loss of data. This is particularly problematic if you do not authenticate clients and/or run the server with elevated permissions.
Patches
Vulnerable versions:
- v0.18.0
- v0.19.0 (unreleased)
This problem is patched in version v0.19.1
Workarounds
Update to the newer version is highly encouraged!
Measures to reduce the risk of this include authenticating clients (see --client-ca flag) and containerization of the yapscan server.
References
The tracking issue is #35. There you can find the commits, fixing the issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/fkie-cad/yapscan"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "0.19.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-22",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T01:50:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nIf you make use of the **report receiver server** (experimental), a client may be able to forge requests such that arbitrary files on the host can be overwritten (subject to permissions of the yapscan server), leading to loss of data. This is particularly problematic if you do not authenticate clients and/or run the server with elevated permissions.\n\n### Patches\n\nVulnerable versions:\n\n- v0.18.0\n- v0.19.0 (unreleased)\n\nThis problem is patched in version v0.19.1\n\n### Workarounds\n\nUpdate to the newer version is highly encouraged!\n\nMeasures to reduce the risk of this include authenticating clients (see `--client-ca` flag) and containerization of the yapscan server.\n\n### References\n\nThe tracking issue is #35. There you can find the commits, fixing the issue.\n",
"id": "GHSA-9h6h-9g78-86f7",
"modified": "2022-12-29T01:50:20Z",
"published": "2022-12-29T01:50:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fkie-cad/yapscan/security/advisories/GHSA-9h6h-9g78-86f7"
},
{
"type": "WEB",
"url": "https://github.com/fkie-cad/yapscan/issues/35"
},
{
"type": "WEB",
"url": "https://github.com/fkie-cad/yapscan/commit/a75a20b50be673b96b1d42187b97f8cfe60728df"
},
{
"type": "WEB",
"url": "https://github.com/fkie-cad/yapscan/commit/fef9a33ceb66f6b929839f7eaf393b629681bc5d"
},
{
"type": "PACKAGE",
"url": "https://github.com/fkie-cad/yapscan"
},
{
"type": "WEB",
"url": "https://github.com/fkie-cad/yapscan/releases/tag/v0.19.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Yapscan\u0027s report receiver server vulnerable to path traversal and log injection"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-268: Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.