Common Weakness Enumeration

CWE-117

Allowed

Improper Output Neutralization for Logs

Abstraction: Base · Status: Draft

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

193 vulnerabilities reference this CWE, most recent first.

GHSA-J46X-WJ3P-R6QG

Vulnerability from github – Published: 2023-07-11 03:30 – Updated: 2024-04-04 05:54
VLAI
Details

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "SAP Solution Manager (Diagnostics agent) - version 7.20, allows an unauthenticated attacker to blindly execute HTTP requests. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application and other applications the Diagnostics Agent can reach.\n\n",
  "id": "GHSA-j46x-wj3p-r6qg",
  "modified": "2024-04-04T05:54:47Z",
  "published": "2023-07-11T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36925"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3352058"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5FQ-P3C6-93JM

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:29Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential log injection attacks. This can cause distortion of monitoring and investigation information, evade detection from security systems, and create difficulties in maintenance and operation.",
  "id": "GHSA-j5fq-p3c6-93jm",
  "modified": "2025-03-20T12:32:43Z",
  "published": "2025-03-20T12:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/95d6bd2c2db4a09b308be2b96e3d5fd522c7b72a"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/6e477667-dcd4-42c2-b342-a6ce09ffdeeb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J628-Q885-8GR5

Vulnerability from github – Published: 2024-04-17 18:24 – Updated: 2024-06-27 16:38
VLAI
Summary
Keycloak vulnerable to log Injection during WebAuthn authentication or registration
Details

A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.

Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-17T18:24:03Z",
    "nvd_published_at": "2024-04-25T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with \"Security Key login\" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.\n\nAcknowledgements:\nSpecial thanks toTheresa Henze for reporting this issue and helping us improve our security.",
  "id": "GHSA-j628-q885-8gr5",
  "modified": "2024-06-27T16:38:20Z",
  "published": "2024-04-17T18:24:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-j628-q885-8gr5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/25078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/f9049565a9a228faa08138b9269d66d3de6c7e9a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/110f64a8146d0817252f90cf4b5e6a62aa897aff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248423"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6484"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1868"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1867"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1866"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1865"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1864"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1862"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1861"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1860"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0804"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0801"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0800"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0799"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to log Injection during WebAuthn authentication or registration"
}

GHSA-J667-C2HM-F2WP

Vulnerability from github – Published: 2022-02-09 21:59 – Updated: 2024-09-05 00:37
VLAI
Summary
Insertion of Sensitive Information into Log File and Improper Output Neutralization for Logs in ansible
Details

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0a1"
            },
            {
              "fixed": "2.10.1rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T23:18:09Z",
    "nvd_published_at": "2020-09-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.",
  "id": "GHSA-j667-c2hm-f2wp",
  "modified": "2024-09-05T00:37:44Z",
  "published": "2022-02-09T21:59:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14332"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/71033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/291f94934c8c49eef85e6539087f2dfcd001fe4f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/6cae9a4b168df776bf82deb04b2c62e00c38b49a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/714cd2ad2eff7f003d728414afcb91591fad5d9a"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-j667-c2hm-f2wp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#security-fixes-3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#security-fixes-4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes-6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-4.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File and Improper Output Neutralization for Logs in ansible"
}

GHSA-J8F3-4CQG-MHW4

Vulnerability from github – Published: 2024-01-16 21:31 – Updated: 2024-01-16 21:31
VLAI
Details

OPCUAServerToolkit will write a log message once an OPC UA client has successfully connected containing the client's self-defined description field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "\nOPCUAServerToolkit will write a log message once an OPC UA client has successfully connected containing the client\u0027s self-defined description field.\n\n",
  "id": "GHSA-j8f3-4cqg-mhw4",
  "modified": "2024-01-16T21:31:22Z",
  "published": "2024-01-16T21:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7234"
    },
    {
      "type": "WEB",
      "url": "https://integrationobjects.com//ask-a-question"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWH7-XM52-QVH7

Vulnerability from github – Published: 2025-01-28 12:31 – Updated: 2025-01-28 12:31
VLAI
Details

The vulnerability was found in OpenShift Service Mesh 2.6.3 and 2.5.6. This issue occurs due to improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. This lack of sanitization can allow attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can mislead logging mechanisms, enabling attackers to manipulate log entries or execute reflected cross-site scripting (XSS) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-28T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The vulnerability was found in OpenShift Service Mesh 2.6.3 and 2.5.6. This issue occurs due to improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. This lack of sanitization can allow attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can mislead logging mechanisms, enabling attackers to manipulate log entries or execute reflected cross-site scripting (XSS) attacks.",
  "id": "GHSA-jwh7-xm52-qvh7",
  "modified": "2025-01-28T12:31:08Z",
  "published": "2025-01-28T12:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0754"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-0754"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2339147"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2H6-JXJ8-4JQF

Vulnerability from github – Published: 2021-05-17 21:25 – Updated: 2021-12-20 17:46
VLAI
Summary
Sensitive Data Exposure in Openshift Container Platform
Details

OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-25T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
  "id": "GHSA-m2h6-jxj8-4jqf",
  "modified": "2021-12-20T17:46:09Z",
  "published": "2021-05-17T21:25:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openshift/library-go/pull/244"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openshift/library-go/pull/472"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4082"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4088"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1734615"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:R",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive Data Exposure in Openshift Container Platform"
}

GHSA-MCP9-HFJJ-CPP5

Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2024-05-03 18:30
VLAI
Details

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data.  IBM X-Force ID:  251463.",
  "id": "GHSA-mcp9-hfjj-cpp5",
  "modified": "2024-05-03T18:30:37Z",
  "published": "2024-05-03T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28952"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251463"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF24-CHXH-HMVJ

Vulnerability from github – Published: 2025-03-06 19:11 – Updated: 2025-03-11 17:15
VLAI
Summary
Envoy Gateway Log Injection Vulnerability
Details

Impact

In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks.

If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log.

Examples of attacks include:

  • Using following string as user agent : HELLO-WORLD", "evil-ip": "1.1.1.1", "x-forwarded-for": "1.1.1.1 would lead to setting of new access log properties and overwrite of existing properties. Existing properties such as the value of the X-Forwarded-For header may have importance for security analysis of access logs, and their overwrite can be used to hide malicious activity.

  • Using the following string as user-agent : " which renders an invalid json document. The invalid document may fail to be processed by observability solutions, which would allow attacker to hide malicious activity.

Patches

1.3.1, 1.2.7

Fix

Using JSON format as the default format for access logs. The logged document will contain the same key and values as before. Only the order of properties is different inside the logged document.

Workaround

One can overwrite the old text based default format with JSON formatter by setting the following property: "EnvoyProxy.spec.telemetry.accessLog" to

settings:
- format:
    type: JSON
    json:
      start_time: '%START_TIME%'
      method: '%REQ(:METHOD)%'
      x-envoy-origin-path: '%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%'
      protocol: '%PROTOCOL%'
      response_code: '%RESPONSE_CODE%'
      response_flags: '%RESPONSE_FLAGS%'
      response_code_details: '%RESPONSE_CODE_DETAILS%'
      connection_termination_details: '%CONNECTION_TERMINATION_DETAILS%'
      upstream_transport_failure_reason: '%UPSTREAM_TRANSPORT_FAILURE_REASON%'
      bytes_received: '%BYTES_RECEIVED%'
      bytes_sent: '%BYTES_SENT%'
      duration: '%DURATION%'
      x-envoy-upstream-service-time: '%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%'
      x-forwarded-for: '%REQ(X-FORWARDED-FOR)%'
      user-agent: '%REQ(USER-AGENT)%'
      x-request-id: '%REQ(X-REQUEST-ID)%'
      :authority: '%REQ(:AUTHORITY)%'
      upstream_host: '%UPSTREAM_HOST%'
      upstream_cluster: '%UPSTREAM_CLUSTER%'
      upstream_local_address: '%UPSTREAM_LOCAL_ADDRESS%'
      downstream_local_address: '%DOWNSTREAM_LOCAL_ADDRESS%'
      downstream_remote_address: '%DOWNSTREAM_REMOTE_ADDRESS%'
      requested_server_name: '%REQUESTED_SERVER_NAME%'
      route_name: '%ROUTE_NAME%'

see API definition here

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0-rc.1"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T19:11:39Z",
    "nvd_published_at": "2025-03-06T19:15:27Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIn all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. \n\nIf the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. \n\nExamples of attacks include:\n\n-  Using following string as user agent : `HELLO-WORLD\", \"evil-ip\": \"1.1.1.1\", \"x-forwarded-for\": \"1.1.1.1` would lead to setting of new access log properties and overwrite of existing properties. Existing properties such as the value of the X-Forwarded-For header may have importance for security analysis of access logs, and their overwrite can be used to hide malicious activity. \n\n- Using the following string as user-agent : `\"` which renders an invalid json document. The invalid document may fail to be processed by observability solutions, which would allow attacker to hide malicious activity.  \n\n### Patches\n1.3.1, 1.2.7\n\n### Fix\nUsing JSON format as the default format for access logs. The logged document will contain the same key and values as before. Only the order of properties is different inside the logged document.\n\n### Workaround\nOne can overwrite the old text based default format with JSON formatter by setting the following property: \n\"EnvoyProxy.spec.telemetry.[accessLog](https://gateway.envoyproxy.io/v1.3/api/extension_types/#proxyaccesslog)\" to \n\n```\nsettings:\n- format:\n    type: JSON\n    json:\n      start_time: \u0027%START_TIME%\u0027\n      method: \u0027%REQ(:METHOD)%\u0027\n      x-envoy-origin-path: \u0027%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\u0027\n      protocol: \u0027%PROTOCOL%\u0027\n      response_code: \u0027%RESPONSE_CODE%\u0027\n      response_flags: \u0027%RESPONSE_FLAGS%\u0027\n      response_code_details: \u0027%RESPONSE_CODE_DETAILS%\u0027\n      connection_termination_details: \u0027%CONNECTION_TERMINATION_DETAILS%\u0027\n      upstream_transport_failure_reason: \u0027%UPSTREAM_TRANSPORT_FAILURE_REASON%\u0027\n      bytes_received: \u0027%BYTES_RECEIVED%\u0027\n      bytes_sent: \u0027%BYTES_SENT%\u0027\n      duration: \u0027%DURATION%\u0027\n      x-envoy-upstream-service-time: \u0027%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\u0027\n      x-forwarded-for: \u0027%REQ(X-FORWARDED-FOR)%\u0027\n      user-agent: \u0027%REQ(USER-AGENT)%\u0027\n      x-request-id: \u0027%REQ(X-REQUEST-ID)%\u0027\n      :authority: \u0027%REQ(:AUTHORITY)%\u0027\n      upstream_host: \u0027%UPSTREAM_HOST%\u0027\n      upstream_cluster: \u0027%UPSTREAM_CLUSTER%\u0027\n      upstream_local_address: \u0027%UPSTREAM_LOCAL_ADDRESS%\u0027\n      downstream_local_address: \u0027%DOWNSTREAM_LOCAL_ADDRESS%\u0027\n      downstream_remote_address: \u0027%DOWNSTREAM_REMOTE_ADDRESS%\u0027\n      requested_server_name: \u0027%REQUESTED_SERVER_NAME%\u0027\n      route_name: \u0027%ROUTE_NAME%\u0027\n```\nsee API definition [here](https://gateway.envoyproxy.io/v1.3/api/extension_types/#proxyaccesslogformat)\n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-mf24-chxh-hmvj",
  "modified": "2025-03-11T17:15:37Z",
  "published": "2025-03-06T19:11:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-mf24-chxh-hmvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/commit/041d474a70d5921e5d65e6e14ea60e14dac70b01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/commit/358bed50dcb7b32f39a2edb252fb1399c7fc65dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/gateway"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/releases/tag/v1.2.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/releases/tag/v1.3.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3504"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy Gateway Log Injection Vulnerability"
}

GHSA-MQGX-5F5C-W96H

Vulnerability from github – Published: 2026-06-06 06:30 – Updated: 2026-06-06 06:30
VLAI
Details

The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the log_js_errors() AJAX handler being registered for unauthenticated users via wp_ajax_nopriv_log_js_errors and gated only by a nonce that is publicly disclosed in every front-end page's HTML through wp_localize_script() whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the message, script, lineNo, columnNo, and pageUrl fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-06T05:16:29Z",
    "severity": "MODERATE"
  },
  "details": "The Debug Log Manager \u2013 Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page\u0027s HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site\u0027s WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields \u2014 enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin\u0027s JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.",
  "id": "GHSA-mqgx-5f5c-w96h",
  "modified": "2026-06-06T06:30:29Z",
  "published": "2026-06-06T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9016"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.php#L123"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.php#L556"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.php#L1947"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.php#L1961"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3543321%40debug-log-manager\u0026new=3543321%40debug-log-manager\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25abca87-1be2-427e-ab01-377d52917052?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Implementation

Strategy: Output Encoding

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-268: Audit Log Manipulation

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.