CWE-117
Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
CVE-2023-1711 (GCVE-0-2023-1711)
Vulnerability from cvelistv5 – Published: 2023-05-30 18:46 – Updated: 2025-01-09 21:19
VLAI
Summary
A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements.
If exploited an attacker could obtain confidential information.
List of CPEs:
* cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*
*
* cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*
Severity
4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Energy | FOXMAN-UN |
Affected:
FOXMAN-UN R16A
Affected: FOXMAN-UN R15B Affected: FOXMAN-UN R15A Affected: FOXMAN-UN R14B Affected: FOXMAN-UN R14A Affected: FOXMAN-UN R11B Affected: FOXMAN-UN R11A Affected: FOXMAN-UN R10C Affected: FOXMAN-UN R9C |
|
| Hitachi Energy | UNEM |
Affected:
UNEM R16A
Affected: UNEM R15B Affected: UNEM R15A Affected: UNEM R14B Affected: UNEM R14A Affected: UNEM R11B Affected: UNEM R11A Affected: UNEM R10C Affected: UNEM R9C |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:57:25.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000155\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000166\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:19:08.886899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:19:26.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FOXMAN-UN",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "FOXMAN-UN R16A"
},
{
"status": "affected",
"version": "FOXMAN-UN R15B"
},
{
"status": "affected",
"version": "FOXMAN-UN R15A"
},
{
"status": "affected",
"version": "FOXMAN-UN R14B"
},
{
"status": "affected",
"version": "FOXMAN-UN R14A"
},
{
"status": "affected",
"version": "FOXMAN-UN R11B"
},
{
"status": "affected",
"version": "FOXMAN-UN R11A"
},
{
"status": "affected",
"version": "FOXMAN-UN R10C"
},
{
"status": "affected",
"version": "FOXMAN-UN R9C"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UNEM",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "UNEM R16A"
},
{
"status": "affected",
"version": "UNEM R15B"
},
{
"status": "affected",
"version": "UNEM R15A"
},
{
"status": "affected",
"version": "UNEM R14B"
},
{
"status": "affected",
"version": "UNEM R14A"
},
{
"status": "affected",
"version": "UNEM R11B"
},
{
"status": "affected",
"version": "UNEM R11A"
},
{
"status": "affected",
"version": "UNEM R10C"
},
{
"status": "affected",
"version": "UNEM R9C"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. \u003cbr\u003eIf exploited an attacker could obtain confidential information.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eList of CPEs:\u003c/span\u003e\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*\u003cbr\u003e\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. \nIf exploited an attacker could obtain confidential information.\n\n\n\nList of CPEs:\n * cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*\n\n * \n * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*\n\n * cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T18:46:29.787Z",
"orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"shortName": "Hitachi Energy"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000155\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000166\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability is remediated in FOXMAN-UN/UNEM R16B.\u003cbr\u003ePlease upgrade to R16B when released or apply general mitigation factors.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The vulnerability is remediated in FOXMAN-UN/UNEM R16B.\nPlease upgrade to R16B when released or apply general mitigation factors.\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nApply mitigation as described in the cybersecurity advisory Mitigation Factors/Workarounds Section.\n\n\u003cbr\u003e"
}
],
"value": "\nApply mitigation as described in the cybersecurity advisory Mitigation Factors/Workarounds Section.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"assignerShortName": "Hitachi Energy",
"cveId": "CVE-2023-1711",
"datePublished": "2023-05-30T18:46:24.317Z",
"dateReserved": "2023-03-30T07:56:02.223Z",
"dateUpdated": "2025-01-09T21:19:26.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28952 (GCVE-0-2023-28952)
Vulnerability from cvelistv5 – Published: 2024-05-03 17:39 – Updated: 2024-08-02 13:51
VLAI
Title
IBM Cognos Controller log injection
Summary
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7149876 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Controller |
Affected:
10.4.1, 10.4.2, 11.0.0
|
|
| ibm | cognos_controller |
Affected:
10.4.1
cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:* |
|
| ibm | cognos_controller |
Affected:
10.4.2
cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:* |
|
| ibm | cognos_controller |
Affected:
11.0.0
cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cognos_controller",
"vendor": "ibm",
"versions": [
{
"status": "affected",
"version": "10.4.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cognos_controller",
"vendor": "ibm",
"versions": [
{
"status": "affected",
"version": "10.4.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cognos_controller",
"vendor": "ibm",
"versions": [
{
"status": "affected",
"version": "11.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T16:03:26.941334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:28:50.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7149876"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251463"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.4.1, 10.4.2, 11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463."
}
],
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T17:39:23.634Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7149876"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251463"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Controller log injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-28952",
"datePublished": "2024-05-03T17:39:23.634Z",
"dateReserved": "2023-03-29T01:33:55.065Z",
"dateUpdated": "2024-08-02T13:51:38.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31405 (GCVE-0-2023-31405)
Vulnerability from cvelistv5 – Published: 2023-07-11 02:23 – Updated: 2024-11-08 18:19
VLAI
Title
Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Summary
SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver AS for Java (Log Viewer) |
Affected:
ENGINEAPI 7.50
Affected: SERVERCORE 7.50 Affected: J2EE-APPS 7.50 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3324732"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T18:19:34.601061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T18:19:45.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver AS for Java (Log Viewer)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "ENGINEAPI 7.50"
},
{
"status": "affected",
"version": "SERVERCORE 7.50"
},
{
"status": "affected",
"version": "J2EE-APPS 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated attacker to craft a request over the network which can result in unwarranted modifications to a system log without user interaction. There is no ability to view any information or any effect on availability.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T02:23:26.873Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3324732"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-31405",
"datePublished": "2023-07-11T02:23:26.873Z",
"dateReserved": "2023-04-27T18:29:50.455Z",
"dateUpdated": "2024-11-08T18:19:45.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32712 (GCVE-0-2023-32712)
Vulnerability from cvelistv5 – Published: 2023-06-01 16:34 – Updated: 2025-02-28 11:03
VLAI
Title
Unauthenticated Log Injection in Splunk Enterprise
Summary
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.
Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.
The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
8.2 , < 8.2.11.2
(custom)
Affected: 9.0 , < 9.0.5.1 (custom) Affected: 9.1 , < 9.1.0.2 (custom) |
|
| Splunk | Universal Forwarder |
Affected:
8.2 , < 8.2.12
(custom)
Affected: 9.0 , < 9.0.6 (custom) Affected: 9.1 , < 9.1.1 (custom) |
|
| splunk | splunk |
Affected:
8.2 , < 8.2.11.2
(semver)
Affected: 9.0 , < 9.0.5.1 (semver) Affected: 9.1 , < 9.1.0.2 (semver) cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* |
|
| splunk | universal_forwarder |
Affected:
8.2 , < 8.2.12
(semver)
Affected: 9.0 , < 9.0.6 (semver) Affected: 9.1 , < 9.1.1 (semver) cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* |
Date Public
2023-06-01 00:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "splunk",
"vendor": "splunk",
"versions": [
{
"lessThan": "8.2.11.2",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "9.0.5.1",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "9.1.0.2",
"status": "affected",
"version": "9.1",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "universal_forwarder",
"vendor": "splunk",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "9.0.6",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "9.1.1",
"status": "affected",
"version": "9.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T19:25:54.346712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:05.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "8.2.11.2",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "9.0.5.1",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "9.1.0.2",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
},
{
"product": "Universal Forwarder",
"vendor": "Splunk",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "9.0.6",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "9.1.1",
"status": "affected",
"version": "9.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2023-06-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.\nUniversal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.\nThe vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine."
}
],
"value": "In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.\nUniversal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface.\nThe vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:57.287Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"source": {
"advisory": "SVD-2023-0606"
},
"title": "Unauthenticated Log Injection in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2023-32712",
"datePublished": "2023-06-01T16:34:29.862Z",
"dateReserved": "2023-05-11T20:55:59.872Z",
"dateUpdated": "2025-02-28T11:03:57.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36924 (GCVE-0-2023-36924)
Vulnerability from cvelistv5 – Published: 2023-07-11 02:57 – Updated: 2024-10-23 16:21
VLAI
Title
Log Injection vulnerability in SAP ERP Defense Forces and Public Security
Summary
While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP ERP Defense Forces and Public Security |
Affected:
600
Affected: 603 Affected: 604 Affected: 605 Affected: 616 Affected: 617 Affected: 618 Affected: 802 Affected: 803 Affected: 804 Affected: 805 Affected: 806 Affected: 807 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:10.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3351410"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T16:16:25.491312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T16:21:35.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP ERP Defense Forces and Public Security",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "603"
},
{
"status": "affected",
"version": "604"
},
{
"status": "affected",
"version": "605"
},
{
"status": "affected",
"version": "616"
},
{
"status": "affected",
"version": "617"
},
{
"status": "affected",
"version": "618"
},
{
"status": "affected",
"version": "802"
},
{
"status": "affected",
"version": "803"
},
{
"status": "affected",
"version": "804"
},
{
"status": "affected",
"version": "805"
},
{
"status": "affected",
"version": "806"
},
{
"status": "affected",
"version": "807"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhile using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.\u003c/p\u003e"
}
],
"value": "While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T02:57:27.493Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3351410"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Log Injection vulnerability in SAP ERP Defense Forces and Public Security",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-36924",
"datePublished": "2023-07-11T02:57:27.493Z",
"dateReserved": "2023-06-27T21:23:26.300Z",
"dateUpdated": "2024-10-23T16:21:35.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37275 (GCVE-0-2023-37275)
Vulnerability from cvelistv5 – Published: 2023-07-13 22:34 – Updated: 2024-10-22 14:52
VLAI
Title
System logs spoofable in Auto-GPT via ANSI control sequences
Summary
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. The Auto-GPT command line UI makes heavy use of color-coded print statements to signify different types of system messages to the user, including messages that are crucial for the user to review and control which commands should be executed. Before v0.4.3, it was possible for a malicious external resource (such as a website browsed by Auto-GPT) to cause misleading messages to be printed to the console by getting the LLM to regurgitate JSON encoded ANSI escape sequences (`\u001b[`). These escape sequences were JSON decoded and printed to the console as part of the model's "thinking process". The issue has been patched in release version 0.4.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Significant-Gravitas/Auto-GPT/… | x_refsource_CONFIRM |
| https://github.com/Significant-Gravitas/Auto-GPT/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Significant-Gravitas | Auto-GPT |
Affected:
< 0.4.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:33.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-r7f7-qrrv-3fjh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-r7f7-qrrv-3fjh"
},
{
"name": "https://github.com/Significant-Gravitas/Auto-GPT/pull/4810",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Significant-Gravitas/Auto-GPT/pull/4810"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T14:51:38.896286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T14:52:38.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Auto-GPT",
"vendor": "Significant-Gravitas",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. The Auto-GPT command line UI makes heavy use of color-coded print statements to signify different types of system messages to the user, including messages that are crucial for the user to review and control which commands should be executed. Before v0.4.3, it was possible for a malicious external resource (such as a website browsed by Auto-GPT) to cause misleading messages to be printed to the console by getting the LLM to regurgitate JSON encoded ANSI escape sequences (`\\u001b[`). These escape sequences were JSON decoded and printed to the console as part of the model\u0027s \"thinking process\". The issue has been patched in release version 0.4.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T22:34:45.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-r7f7-qrrv-3fjh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-r7f7-qrrv-3fjh"
},
{
"name": "https://github.com/Significant-Gravitas/Auto-GPT/pull/4810",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Significant-Gravitas/Auto-GPT/pull/4810"
}
],
"source": {
"advisory": "GHSA-r7f7-qrrv-3fjh",
"discovery": "UNKNOWN"
},
"title": "System logs spoofable in Auto-GPT via ANSI control sequences"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37275",
"datePublished": "2023-07-13T22:34:45.809Z",
"dateReserved": "2023-06-29T19:35:26.440Z",
"dateUpdated": "2024-10-22T14:52:38.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38020 (GCVE-0-2023-38020)
Vulnerability from cvelistv5 – Published: 2024-02-02 03:36 – Updated: 2024-08-02 17:23
VLAI
Title
IBM SOAR QRadar Plugin App log injection
Summary
IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to manipulate output written to log files. IBM X-Force ID: 260576.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7111679 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | SOAR QRadar Plugin App |
Affected:
1.0 , ≤ 5.0.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-05T19:15:50.024152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:28.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7111679"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SOAR QRadar Plugin App",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.0.3",
"status": "affected",
"version": "1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to manipulate output written to log files. IBM X-Force ID: 260576."
}
],
"value": "IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to manipulate output written to log files. IBM X-Force ID: 260576."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T03:36:26.147Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7111679"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260576"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM SOAR QRadar Plugin App log injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-38020",
"datePublished": "2024-02-02T03:36:26.147Z",
"dateReserved": "2023-07-11T17:33:12.813Z",
"dateUpdated": "2024-08-02T17:23:27.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39461 (GCVE-0-2023-39461)
Vulnerability from cvelistv5 – Published: 2024-05-03 01:59 – Updated: 2024-08-02 18:10
VLAI
Title
Triangle MicroWorks SCADA Data Gateway Event Log Improper Output Neutralization For Logs Arbitrary File Write Vulnerability
Summary
Triangle MicroWorks SCADA Data Gateway Event Log Improper Output Neutralization For Logs Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to write arbitrary files on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of event logs. The issue results from improper sanitization of log output. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-20535.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://www.trianglemicroworks.com/products/scada… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Triangle MicroWorks | SCADA Data Gateway |
Affected:
5.1.3.20324
|
|
| trianglemicroworks | scada_data_gateway |
Affected:
5.1.3.20324
cpe:2.3:a:trianglemicroworks:scada_data_gateway:5.1.3.20324:*:*:*:*:*:*:* |
Date Public
2023-08-04 18:37
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:trianglemicroworks:scada_data_gateway:5.1.3.20324:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scada_data_gateway",
"vendor": "trianglemicroworks",
"versions": [
{
"status": "affected",
"version": "5.1.3.20324"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:12:41.966123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:58.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1029",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1029/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SCADA Data Gateway",
"vendor": "Triangle MicroWorks",
"versions": [
{
"status": "affected",
"version": "5.1.3.20324"
}
]
}
],
"dateAssigned": "2023-08-02T21:44:31.394Z",
"datePublic": "2023-08-04T18:37:00.078Z",
"descriptions": [
{
"lang": "en",
"value": "Triangle MicroWorks SCADA Data Gateway Event Log Improper Output Neutralization For Logs Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to write arbitrary files on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the handling of event logs. The issue results from improper sanitization of log output. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-20535."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T01:59:25.080Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1029",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1029/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
}
],
"source": {
"lang": "en",
"value": "Claroty Research - Team82 - Uri Katz, Noam Moshe, Vera Mens, Sharon Brizinov"
},
"title": "Triangle MicroWorks SCADA Data Gateway Event Log Improper Output Neutralization For Logs Arbitrary File Write Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-39461",
"datePublished": "2024-05-03T01:59:25.080Z",
"dateReserved": "2023-08-02T21:37:23.121Z",
"dateUpdated": "2024-08-02T18:10:20.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3997 (GCVE-0-2023-3997)
Vulnerability from cvelistv5 – Published: 2023-07-31 16:16 – Updated: 2025-02-28 11:03
VLAI
Title
Unauthenticated Log Injection In Splunk SOAR
Summary
Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action.
Severity
8.6 (High)
CWE
- CWE-117 - The software does not neutralize or incorrectly neutralizes output that is written to logs.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk SOAR (On-premises) |
Affected:
- , < 6.1.0
(custom)
|
|
| Splunk | Splunk SOAR (Cloud) |
Affected:
- , < 6.1.0
(custom)
|
Date Public
2023-07-31 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:10.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisory.splunk.com/advisories/SVD-2023-0702"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Splunk SOAR (On-premises)",
"vendor": "Splunk",
"versions": [
{
"lessThan": "6.1.0",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
},
{
"product": "Splunk SOAR (Cloud)",
"vendor": "Splunk",
"versions": [
{
"lessThan": "6.1.0",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ST\u00d6K / Fredrik Alexandersson"
}
],
"datePublic": "2023-07-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action."
}
],
"value": "Splunk SOAR versions lower than 6.1.0 are indirectly affected by a potential vulnerability accessed through the user\u2019s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user\u2019s action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "The software does not neutralize or incorrectly neutralizes output that is written to logs.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T11:03:50.122Z",
"orgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"shortName": "Splunk"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2023-0702"
}
],
"source": {
"advisory": "SVD-2023-0702"
},
"title": "Unauthenticated Log Injection In Splunk SOAR"
}
},
"cveMetadata": {
"assignerOrgId": "42b59230-ec95-491e-8425-5a5befa1a469",
"assignerShortName": "Splunk",
"cveId": "CVE-2023-3997",
"datePublished": "2023-07-31T16:16:19.911Z",
"dateReserved": "2023-07-28T17:28:28.614Z",
"dateUpdated": "2025-02-28T11:03:50.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4065 (GCVE-0-2023-4065)
Vulnerability from cvelistv5 – Published: 2023-09-26 13:25 – Updated: 2026-03-18 02:24
VLAI
Title
Operator: plaintext password in operator log
Summary
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:4720 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2023-4065 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2224630 | issue-trackingx_refsource_REDHAT |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | RHEL-8 based Middleware Containers |
Unaffected:
7.11.1-9 , < *
(rpm)
cpe:/a:redhat:rhosemc:1.0::el8 |
|
| Red Hat | RHEL-8 based Middleware Containers |
Unaffected:
7.11.1-12 , < *
(rpm)
cpe:/a:redhat:rhosemc:1.0::el8 |
|
| Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7 |
Date Public
2023-08-23 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T16:44:13.976264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T14:17:32.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:11.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:4720",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4720"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4065"
},
{
"name": "RHBZ#2224630",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "amq7/amq-broker-rhel8-operator",
"product": "RHEL-8 based Middleware Containers",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "7.11.1-9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "amq7/amq-broker-rhel8-operator-bundle",
"product": "RHEL-8 based Middleware Containers",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "7.11.1-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "affected",
"packageName": "amq-broker-operator-container",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
}
],
"datePublic": "2023-08-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T02:24:44.986Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:4720",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4720"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4065"
},
{
"name": "RHBZ#2224630",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224630"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-07T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-08-23T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Operator: plaintext password in operator log",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-117: Improper Output Neutralization for Logs"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-4065",
"datePublished": "2023-09-26T13:25:23.092Z",
"dateReserved": "2023-08-01T18:02:17.631Z",
"dateUpdated": "2026-03-18T02:24:44.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation ID: MIT-30
Phase: Implementation
Strategy: Output Encoding
Description:
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation ID: MIT-20
Phase: Implementation
Strategy: Input Validation
Description:
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-268: Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.