CWE-117
AllowedImproper Output Neutralization for Logs
Abstraction: Base · Status: Draft
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
193 vulnerabilities reference this CWE, most recent first.
GHSA-G6J4-F6G3-WMCX
Vulnerability from github – Published: 2023-05-30 21:30 – Updated: 2024-04-04 04:23A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. If exploited an attacker could obtain confidential information.
List of CPEs: * cpe:2.3:a:hitachienergy:foxman_un:R9C::::::: * cpe:2.3:a:hitachienergy:foxman_un:R10C:::::::
-
cpe:2.3:a:hitachienergy:foxman_un:R11A:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R11B:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R14A:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R14B:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R15A:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R15B:::::::*
-
cpe:2.3:a:hitachienergy:foxman_un:R16A:::::::*
- cpe:2.3:a:hitachienergy:unem:R9C:::::::*
-
cpe:2.3:a:hitachienergy: unem :R10C:::::::*
-
cpe:2.3:a:hitachienergy: unem :R11A:::::::*
-
cpe:2.3:a:hitachienergy: unem :R11B:::::::*
-
cpe:2.3:a:hitachienergy: unem :R14A:::::::*
-
cpe:2.3:a:hitachienergy: unem :R14B:::::::*
-
cpe:2.3:a:hitachienergy: unem :R15A:::::::*
-
cpe:2.3:a:hitachienergy: unem :R15B:::::::*
-
cpe:2.3:a:hitachienergy: unem :R16A:::::::*
{
"affected": [],
"aliases": [
"CVE-2023-1711"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T19:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. \nIf exploited an attacker could obtain confidential information.\n\n\n\nList of CPEs:\n * cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*\n\n * \n * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*\n\n\n",
"id": "GHSA-g6j4-f6g3-wmcx",
"modified": "2024-04-04T04:23:35Z",
"published": "2023-05-30T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1711"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000155\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000166\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHVR-MWW9-3HRG
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2024-01-23 18:31Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;
{
"affected": [],
"aliases": [
"CVE-2021-20333"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-23T12:15:00Z",
"severity": "MODERATE"
},
"details": "Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;",
"id": "GHSA-ghvr-mww9-3hrg",
"modified": "2024-01-23T18:31:10Z",
"published": "2022-05-24T19:09:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20333"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-50605"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GV3V-2CPP-3PMQ
Vulnerability from github – Published: 2026-02-10 12:30 – Updated: 2026-04-08 21:55A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.
Patches are available, see:
- https://github.com/keycloak/keycloak/releases/tag/26.4.11
- https://github.com/keycloak/keycloak/releases/tag/26.5.6
- https://github.com/keycloak/keycloak/releases/tag/26.6.0
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-quarkus-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-11537"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-11T19:08:55Z",
"nvd_published_at": "2026-02-10T11:16:09Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined \u0027long\u0027 pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.\n\nPatches are available, see:\n\n- https://github.com/keycloak/keycloak/releases/tag/26.4.11\n- https://github.com/keycloak/keycloak/releases/tag/26.5.6\n- https://github.com/keycloak/keycloak/releases/tag/26.6.0",
"id": "GHSA-gv3v-2cpp-3pmq",
"modified": "2026-04-08T21:55:47Z",
"published": "2026-02-10T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11537"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/137a35c1109ff43a305f26264978a3ea21452373"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/5a3cdb7c4ccbf83ffc926f70d655a60269d7207b"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/9622f550a6e565b29a3a37454421f08626791a6c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-11537"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402616"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://www.keycloak.org/server/logging#_change_log_formatpattern"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak logs sensitive headers"
}
GHSA-GVRR-Q7F9-RX5J
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-03-06 21:31IBM Aspera Shares 1.9.0 through 1.10.0 PL6 could allow an attacker to spoof their IP address, which is written to log files, due to improper verification of 'Client-IP' headers.
{
"affected": [],
"aliases": [
"CVE-2024-56473"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T23:15:10Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Shares\u00a01.9.0 through 1.10.0 PL6 could allow an attacker to spoof their IP address, which is written to log files, due to improper verification of \u0027Client-IP\u0027 headers.",
"id": "GHSA-gvrr-q7f9-rx5j",
"modified": "2025-03-06T21:31:25Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56473"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182490"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H24R-M9QC-PVPG
Vulnerability from github – Published: 2024-02-06 12:30 – Updated: 2026-06-09 13:05An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.16.0"
},
{
"fixed": "2.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.15.0"
},
{
"fixed": "2.15.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-0690"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-06T20:26:17Z",
"nvd_published_at": "2024-02-06T12:15:55Z",
"severity": "MODERATE"
},
"details": "An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.",
"id": "GHSA-h24r-m9qc-pvpg",
"modified": "2026-06-09T13:05:25Z",
"published": "2024-02-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/82565"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/6935c8e303440addd3871ecf8e04bde61080b032"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/78db3a3de6b40fb52d216685ae7cb903c609c3e1"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/b9a03bbf5a63459468baf8895ff74a62e9be4532"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0733"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2246"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3043"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0690"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259013"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible-core/PYSEC-2024-36.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZQGCRDSZL7ONCULMB6ZUHOE4L44KIBP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDYSWOCPZMNRU5LWKIEBW4WGWLMTU7WQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250117-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ansible-core information disclosure flaw"
}
GHSA-H47X-XWJ6-WRPV
Vulnerability from github – Published: 2024-07-11 03:30 – Updated: 2024-07-11 03:30Improper output Neutralization for Logs (CWE-117) in the Command Centre API Diagnostics Endpoint could allow an attacker limited ability to modify Command Centre log files.
This issue affects: Gallagher Command Centre v9.10 prior to vEL9.10.1268 (MR1).
{
"affected": [],
"aliases": [
"CVE-2024-23194"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-11T03:15:02Z",
"severity": "LOW"
},
"details": "Improper output Neutralization for Logs (CWE-117) in the Command Centre API\u00a0Diagnostics Endpoint could allow an attacker limited ability to modify Command Centre log files. \n\nThis issue affects:\u00a0Gallagher Command Centre v9.10 prior to vEL9.10.1268 (MR1).",
"id": "GHSA-h47x-xwj6-wrpv",
"modified": "2024-07-11T03:30:55Z",
"published": "2024-07-11T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23194"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H9QG-8CX4-MH74
Vulnerability from github – Published: 2023-10-23 00:30 – Updated: 2023-11-01 18:30iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. They may have shell metacharacters for a /usr/bin/man command line.
{
"affected": [],
"aliases": [
"CVE-2023-46321"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T00:15:08Z",
"severity": "CRITICAL"
},
"details": "iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. They may have shell metacharacters for a /usr/bin/man command line.",
"id": "GHSA-h9qg-8cx4-mh74",
"modified": "2023-11-01T18:30:30Z",
"published": "2023-10-23T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46321"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnachman/iterm2/-/commit/de3d351e1bd3bc1c1a4f85fe976c592e497dd071"
},
{
"type": "WEB",
"url": "https://iterm2.com/downloads.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHW6-Q999-WQQQ
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
{
"affected": [],
"aliases": [
"CVE-2023-4065"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:39Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.",
"id": "GHSA-hhw6-q999-wqqq",
"modified": "2024-04-04T07:55:38Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4065"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4720"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4065"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J27P-5P5F-GJJV
Vulnerability from github – Published: 2025-04-08 15:31 – Updated: 2025-04-08 15:31An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.12 and below may allow an unauthenticated remote attacker to pollute the logs via crafted login requests.
{
"affected": [],
"aliases": [
"CVE-2024-52962"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T14:15:32Z",
"severity": "MODERATE"
},
"details": "An\u00a0Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.12 and below may allow an unauthenticated remote attacker to pollute the logs via crafted login requests.",
"id": "GHSA-j27p-5p5f-gjjv",
"modified": "2025-04-08T15:31:05Z",
"published": "2025-04-08T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52962"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-453"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3GR-58V5-64M3
Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-13 00:00The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-117: Improper Output Neutralization for Logs, which allows an attacker to create false logs that show the password as having been changed when it is not, complicating forensics.
{
"affected": [],
"aliases": [
"CVE-2022-1522"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-117: Improper Output Neutralization for Logs, which allows an attacker to create false logs that show the password as having been changed when it is not, complicating forensics.",
"id": "GHSA-j3gr-58v5-64m3",
"modified": "2022-09-13T00:00:40Z",
"published": "2022-09-07T00:01:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1522"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-268: Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.