Common Weakness Enumeration

CWE-117

Allowed

Improper Output Neutralization for Logs

Abstraction: Base · Status: Draft

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

193 vulnerabilities reference this CWE, most recent first.

GHSA-445C-VH5M-36RJ

Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-04-14 00:13
VLAI
Summary
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility
Details

Apache Log4j Core's Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

  • The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
  • The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.21.0"
            },
            {
              "fixed": "2.25.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.logging.log4j:log4j-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta1"
            },
            {
              "last_affected": "3.0.0-beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-684"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T00:13:29Z",
    "nvd_published_at": "2026-04-10T16:16:31Z",
    "severity": "MODERATE"
  },
  "details": "Apache Log4j Core\u0027s [`Rfc5424Layout`](https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout), in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n  *  The `newLineEscape` attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n  *  The `useTlsMessageFormat` attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\nUsers of the `SyslogAppender` are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",
  "id": "GHSA-445c-vh5m-36rj",
  "modified": "2026-04-14T00:13:29Z",
  "published": "2026-04-10T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4j2/pull/4074"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/logging-log4j2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/cyclonedx/vdr.xml"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/security.html#CVE-2026-34478"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/10/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility"
}

GHSA-48G5-4PH9-JJMF

Vulnerability from github – Published: 2023-07-31 18:30 – Updated: 2024-12-10 18:31
VLAI
Details

Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-31T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action.",
  "id": "GHSA-48g5-4ph9-jjmf",
  "modified": "2024-12-10T18:31:06Z",
  "published": "2023-07-31T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3997"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2023-0702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VJ7-5MJ6-JM8M

Vulnerability from github – Published: 2026-07-10 14:32 – Updated: 2026-07-10 14:32
VLAI
Summary
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Details

Impact

Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.

The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.

Patches

Users should upgrade to version 1.11.0.

Workarounds

Use a custom format string that does not include :remote-user.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.10.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "morgan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-5078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T14:32:15Z",
    "nvd_published_at": "2026-06-03T08:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nMorgan\u0027s `:remote-user` token extracts the Basic auth username from the `Authorization` header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted `Authorization: Basic` header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.\n\nThe built-in `combined`, `common`, `default`, and `short` formats are affected, as well as any custom format that includes `:remote-user`.\n\n### Patches\n\nUsers should upgrade to version 1.11.0.\n\n### Workarounds\n\nUse a custom format string that does not include `:remote-user`.",
  "id": "GHSA-4vj7-5mj6-jm8m",
  "modified": "2026-07-10T14:32:15Z",
  "published": "2026-07-10T14:32:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5078"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/expressjs/morgan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "morgan vulnerable to Log Forging via unneutralized control characters in :remote-user"
}

GHSA-62CM-C2H4-RG2M

Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-06-04 21:31
VLAI
Details

Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T13:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.",
  "id": "GHSA-62cm-c2h4-rg2m",
  "modified": "2025-06-04T21:31:10Z",
  "published": "2025-05-22T15:34:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3942"
    },
    {
      "type": "WEB",
      "url": "https://www.honeywell.com/us/en/product-security#security-notices"
    },
    {
      "type": "WEB",
      "url": "https://www.tridium.com/us/en/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62RC-944Q-7VQ6

Vulnerability from github – Published: 2025-02-28 18:31 – Updated: 2025-02-28 18:31
VLAI
Details

Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-28T17:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).",
  "id": "GHSA-62rc-944q-7vq6",
  "modified": "2025-02-28T18:31:05Z",
  "published": "2025-02-28T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23405"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01"
    },
    {
      "type": "WEB",
      "url": "https://www.dariohealth.com/contact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-63FR-HQMM-7X7R

Vulnerability from github – Published: 2024-01-24 18:31 – Updated: 2024-01-24 18:31
VLAI
Details

Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-24T17:15:08Z",
    "severity": "LOW"
  },
  "details": "\nDell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities.\n\n",
  "id": "GHSA-63fr-hqmm-7x7r",
  "modified": "2024-01-24T18:31:01Z",
  "published": "2024-01-24T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22229"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000213152/dsa-2023-141-dell-unity-unity-vsa-and-unity-xt-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-674P-XV2X-RF3G

Vulnerability from github – Published: 2025-08-11 23:07 – Updated: 2025-08-11 23:07
VLAI
Summary
Litestar has potential log injection in exception logging
Details

Summary

Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or log_exceptions is set to "always", which allows attackers to inject newlines and forge log entries.

Details

Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.

https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150

Attackers can inject newlines in logs by embedding%0d%0a in url path.

log_exceptions="always" is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.

PoC

curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28"

logging:

2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)
INFO:     127.0.0.1:8192 - "POST /login HTTP/1.1" 200 OK
...

If stacktracks for 404 are configured to be ignored (disable_stack_trace={404},), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.16.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-11T23:07:36Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nLitestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to \"always\", which allows attackers to inject newlines and forge log entries.\n\n### Details\n\nLitestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler.\n\nhttps://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150\n\nAttackers can inject newlines in logs by embedding`%0d%0a` in url path.\n\n`log_exceptions=\"always\"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs.\n\n### PoC\n\n```\ncurl \"http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:8192%20-%20%22POST%20/login%20HTTP/1.1%22%20200%20OK%0D%0A%28\"\n```\n\nlogging:\n\n```\n2025-07-15 00:00:00 - litestar - ERROR - Uncaught exception (connection_type=http, path=/)\nINFO:     127.0.0.1:8192 - \"POST /login HTTP/1.1\" 200 OK\n...\n```\n\nIf stacktracks for 404 are configured to be ignored (`disable_stack_trace={404},`), attacker may also exploit this by sending malformed requests to cause 400/500 exceptions and avoid 404 in endpoints with str path parameters.",
  "id": "GHSA-674p-xv2x-rf3g",
  "modified": "2025-08-11T23:07:36Z",
  "published": "2025-08-11T23:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-674p-xv2x-rf3g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/03b5813d4f448dd710af9ba6252d798cb9fc087f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litestar-org/litestar"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Litestar has potential log injection in exception logging"
}

GHSA-678W-QRPP-9PJW

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-07-03 18:42
VLAI
Details

An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication.",
  "id": "GHSA-678w-qrpp-9pjw",
  "modified": "2024-07-03T18:42:58Z",
  "published": "2024-05-21T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31845"
    },
    {
      "type": "WEB",
      "url": "https://www.gruppotim.it/it/footer/red-team.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68P3-H5C2-5HCR

Vulnerability from github – Published: 2025-08-22 21:31 – Updated: 2025-11-05 00:31
VLAI
Details

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.

When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.

This issue affects Apache Log4cxx: before 1.5.0.

Users are recommended to upgrade to version 1.5.0, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T19:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.\n\nWhen using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them.\n\nThis issue affects Apache Log4cxx: before 1.5.0.\n\nUsers are recommended to upgrade to version 1.5.0, which fixes the issue.",
  "id": "GHSA-68p3-h5c2-5hcr",
  "modified": "2025-11-05T00:31:25Z",
  "published": "2025-08-22T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/logging-log4cxx/pull/512"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://logging.apache.org/security.html#CVE-2025-54813"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/22/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6CJM-4PXW-7XP9

Vulnerability from github – Published: 2024-04-18 18:22 – Updated: 2025-09-15 20:06
VLAI
Summary
Sentry vulnerable to leaking superuser cleartext password in logs
Details

Impact

When authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validate_superuser. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.

Patches

  • Self-hosted users on affected versions should upgrade to 24.4.1 or later.
  • Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.

Workarounds

Users can configure the logging level to exclude logs of the INFO level and only generate logs for levels at WARNING or higher. For details on configuring self-hosted Sentry's logging level see our documentation at: https://develop.sentry.dev/config/#logging

References

  • Bug introduced in https://github.com/getsentry/sentry/pull/66393
  • Security fix in https://github.com/getsentry/sentry/pull/69148
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.3.0"
            },
            {
              "fixed": "24.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-18T18:22:42Z",
    "nvd_published_at": "2024-04-18T20:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.\n\n### Patches\n- Self-hosted users on affected versions should upgrade to 24.4.1 or later.\n- Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.\n\n### Workarounds\nUsers can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or higher. For details on configuring self-hosted Sentry\u0027s logging level see our documentation at: https://develop.sentry.dev/config/#logging\n\n### References\n- Bug introduced in https://github.com/getsentry/sentry/pull/66393\n- Security fix in https://github.com/getsentry/sentry/pull/69148",
  "id": "GHSA-6cjm-4pxw-7xp9",
  "modified": "2025-09-15T20:06:42Z",
  "published": "2024-04-18T18:22:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/66393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/69148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sentry vulnerable to leaking superuser cleartext password in logs"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Implementation

Strategy: Output Encoding

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-268: Audit Log Manipulation

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.