Common Weakness Enumeration

CWE-150

Allowed

Improper Neutralization of Escape, Meta, or Control Sequences

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

114 vulnerabilities reference this CWE, most recent first.

GHSA-VQ67-RP93-65QF

Vulnerability from github – Published: 2023-03-24 22:06 – Updated: 2023-03-24 22:06
VLAI
Summary
Interactive `run` permission prompt spoofing via improper ANSI neutralization
Details

Summary

Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a op_spawn_child or op_kill prompt and replace it with any desired text.

Details

The main entry point comes down to the ability to override what the API control says (40_process.js). Because of ANSI code's ability to clear lines, a malicious program can clear the last 2 lines of the prompt and put their own header. This also works in op_kill.

PoC

This PoC works on 1.31.1, but modified versions of it work on older versions.

Make a file, e.g. index.ts, that uses this vulnerability to spoof the op_spawn_child permission prompt

const boldANSI = "\u001b[1m" // bold
const unboldANSI = "\u001b[22m" // unbold

const prompt = `┌ ⚠️  ${boldANSI}Deno requests run access to "echo"${unboldANSI}
├ Requested by \`Deno.Command().output()`

const moveANSIUp = "\u001b[1A" // moves to the start of the line
const clearANSI = "\u001b[2K" // clears the line
const moveANSIStart = "\u001b[1000D" // moves to the start of the line

Deno[Object.getOwnPropertySymbols(Deno)[0]].core.ops.op_spawn_child({
    cmd: "cat",
    args: ["/etc/passwd"],
    clearEnv: false,
    env: [],
    stdin: "null",
    stdout: "inherit",
    stderr: "piped"
}, moveANSIUp + clearANSI + moveANSIStart + prompt)

Run the file with deno run index.ts.

Impact

Any Deno program is able to spoof the interactive permission prompt for the op_spawn_child or the op_kill action (which indirectly gives access to all run commands) by overriding the Requested by {message} API with their own ANSI codes, allowing them to clear the latter prompt and change it to whatever they needed:

// Expected Prompt
┌ ⚠️  Deno requests run access to "cat"
├ Requested by `Deno.Command().output()` API
├ Run again with --allow-run to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) >

// Actual Prompt
┌ ⚠️  Deno requests run access to "echo"
├ Requested by `Deno.Command().output()` API
├ Run again with --allow-run to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) >

This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run.

This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers).

Before v1.31.0, this requires the --unstable flag.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno_runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-24T22:06:01Z",
    "nvd_published_at": "2023-03-24T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nArbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text.\n\n### Details\n\nThe main entry point comes down to the ability to override what the API control says ([40_process.js](https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175)). Because of ANSI code\u0027s ability to clear lines, a malicious program can clear the last 2 lines of the prompt and put their own header. This also works in `op_kill`.\n\n### PoC\n\nThis PoC works on 1.31.1, but modified versions of it work on older versions.\n\nMake a file, e.g. `index.ts`, that uses this vulnerability to spoof the `op_spawn_child` permission prompt\n\n```ts\nconst boldANSI = \"\\u001b[1m\" // bold\nconst unboldANSI = \"\\u001b[22m\" // unbold\n\nconst prompt = `\u250c \u26a0\ufe0f  ${boldANSI}Deno requests run access to \"echo\"${unboldANSI}\n\u251c Requested by \\`Deno.Command().output()`\n\nconst moveANSIUp = \"\\u001b[1A\" // moves to the start of the line\nconst clearANSI = \"\\u001b[2K\" // clears the line\nconst moveANSIStart = \"\\u001b[1000D\" // moves to the start of the line\n\nDeno[Object.getOwnPropertySymbols(Deno)[0]].core.ops.op_spawn_child({\n    cmd: \"cat\",\n    args: [\"/etc/passwd\"],\n    clearEnv: false,\n    env: [],\n    stdin: \"null\",\n    stdout: \"inherit\",\n    stderr: \"piped\"\n}, moveANSIUp + clearANSI + moveANSIStart + prompt)\n```\n\nRun the file with `deno run index.ts`.\n\n### Impact\nAny Deno program is able to spoof the interactive permission prompt for the `op_spawn_child` or the `op_kill` action (which indirectly gives access to all run commands) by overriding the `Requested by {message} API` with their own ANSI codes, allowing them to clear the latter prompt and change it to whatever they needed:\n\n```\n// Expected Prompt\n\u250c \u26a0\ufe0f  Deno requests run access to \"cat\"\n\u251c Requested by `Deno.Command().output()` API\n\u251c Run again with --allow-run to bypass this prompt.\n\u2514 Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) \u003e\n\n// Actual Prompt\n\u250c \u26a0\ufe0f  Deno requests run access to \"echo\"\n\u251c Requested by `Deno.Command().output()` API\n\u251c Run again with --allow-run to bypass this prompt.\n\u2514 Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) \u003e\n```\n\nThis works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run.\n\nThis problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers).\n\nBefore `v1.31.0`, this requires the `--unstable` flag. \n",
  "id": "GHSA-vq67-rp93-65qf",
  "modified": "2023-03-24T22:06:01Z",
  "published": "2023-03-24T22:06:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28446"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v1.31.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Interactive `run` permission prompt spoofing via improper ANSI neutralization"
}

GHSA-WJPC-4F29-83H3

Vulnerability from github – Published: 2026-01-05 19:42 – Updated: 2026-01-06 16:07
VLAI
Summary
badkeys vulnerable to ASCII control character injection on console via malformed input
Details

Impact

An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes.

Patches

This has been fixed with the following commits: https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087 https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a

All users should upgrade badkeys to version 0.0.16.

Resources

https://github.com/badkeys/badkeys/issues/40

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.15"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "badkeys"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T19:42:12Z",
    "nvd_published_at": "2026-01-06T00:15:49Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nAn attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the `badkeys` command-line tool. This impacts scanning DKIM keys (both `--dkim` and `--dkim-dns`), SSH keys (`--ssh-lines` mode), and filenames in various modes.\n\n### Patches\n\nThis has been fixed with the following commits:\nhttps://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087\nhttps://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a\n\nAll users should upgrade `badkeys` to version 0.0.16.\n\n### Resources\n\nhttps://github.com/badkeys/badkeys/issues/40",
  "id": "GHSA-wjpc-4f29-83h3",
  "modified": "2026-01-06T16:07:15Z",
  "published": "2026-01-05T19:42:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21439"
    },
    {
      "type": "WEB",
      "url": "https://github.com/badkeys/badkeys/issues/40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/badkeys/badkeys"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "badkeys vulnerable to ASCII control character injection on console via malformed input"
}

GHSA-WQ4H-7R42-5HRR

Vulnerability from github – Published: 2022-05-27 16:36 – Updated: 2022-12-07 14:37
VLAI
Summary
Possible shell escape sequence injection vulnerability in Rack
Details

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30123.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this:

use Rack::Lint

Or

use Rack::CommonLogger

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

Remove these middleware from your application

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.9.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.4.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1"
            },
            {
              "fixed": "2.1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.3.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-30123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-27T16:36:51Z",
    "nvd_published_at": "2022-12-05T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "There is a possible shell escape sequence injection vulnerability in the Lint\nand CommonLogger components of Rack.  This vulnerability has been assigned the\nCVE identifier CVE-2022-30123.\n\nVersions Affected:  All.\nNot affected:       None\nFixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted requests can cause shell escape sequences to be written to\nthe terminal via Rack\u0027s Lint middleware and CommonLogger middleware.  These\nescape sequences can be leveraged to possibly execute commands in the victim\u0027s\nterminal.\n\nImpacted applications will have either of these middleware installed, and\nvulnerable apps may have something like this:\n\n```\nuse Rack::Lint\n```\n\nOr\n\n```\nuse Rack::CommonLogger\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nRemove these middleware from your application\n",
  "id": "GHSA-wq4h-7r42-5hrr",
  "modified": "2022-12-07T14:37:27Z",
  "published": "2022-05-27T16:36:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-18"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231208-0011"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible shell escape sequence injection vulnerability in Rack"
}

GHSA-XWFJ-JGWM-7WP5

Vulnerability from github – Published: 2025-08-29 20:33 – Updated: 2025-09-02 16:35
VLAI
Summary
Tracing logging user input may result in poisoning logs with ANSI escape sequences
Details

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Patches

tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Workarounds

Avoid printing logs to terminal emulators without escaping ANSI control sequences.

References

https://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tracing-subscriber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T20:33:56Z",
    "nvd_published_at": "2025-08-29T22:15:32Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPrevious versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:\n\n- Manipulate terminal title bars\n- Clear screens or modify terminal display\n- Potentially mislead users through terminal manipulation\n\nIn isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.\n\n### Patches\n\n`tracing-subscriber` version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.\n\n### Workarounds\n\nAvoid printing logs to terminal emulators without escaping ANSI control sequences.\n\n### References\n\nhttps://www.packetlabs.net/posts/weaponizing-ansi-escape-sequences/\n\n\n### Acknowledgments\n\nWe would like to thank [zefr0x](http://github.com/zefr0x) who responsibly reported the issue at `security@tokio.rs`.\n\nIf you believe you have found a security vulnerability in any tokio-rs project, please email us at `security@tokio.rs`.",
  "id": "GHSA-xwfj-jgwm-7wp5",
  "modified": "2025-09-02T16:35:51Z",
  "published": "2025-08-29T20:33:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tokio-rs/tracing/security/advisories/GHSA-xwfj-jgwm-7wp5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58160"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tokio-rs/tracing"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0055.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": " Tracing logging user input may result in poisoning logs with ANSI escape sequences"
}

Mitigation

Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation
Implementation

When using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about what to allow.

Mitigation
Build and Compilation

When using an LLM: during tokenizer training, suppress escape codes from the tokenizer's vocabulary. Depending on context, this could be accomplished by removing the codes from input to the tokenizer, or removing the map from the string to its token ID. It is generally unlikely that this removal would adversely affect the quality or correctness of what is generated, e.g. advice requests for terminal settings to change colors.

CAPEC-134: Email Injection

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.