CVE-2022-32549 (GCVE-0-2022-32549)

Vulnerability from cvelistv5 – Published: 2022-06-22 14:25 – Updated: 2024-08-03 07:46
VLAI
Title
log injection in Sling logging
Summary
Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.
Severity
No CVSS data available.
CWE
  • CWE-117 - Improper Output Neutralization for Logs
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache Sling Affected: Apache Sling API , ≤ 2.25.0 (custom)
Affected: Apache Sling Commons Log , ≤ 5.4.0 (custom)
Create a notification for this product.
Credits
Apache Sling would like to thank Alex Collignon for reporting this issue.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:46:43.499Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Sling",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.25.0",
              "status": "affected",
              "version": "Apache Sling API",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.4.0",
              "status": "affected",
              "version": "Apache Sling Commons Log",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Sling Commons Log \u003c= 5.4.0 and Apache Sling API \u003c= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "important"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-117",
              "description": "CWE-117: Improper Output Neutralization for Logs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-22T14:25:10.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "log injection in Sling logging",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-32549",
          "STATE": "PUBLIC",
          "TITLE": "log injection in Sling logging"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Sling",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Sling API",
                            "version_value": "2.25.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Sling Commons Log",
                            "version_value": "5.4.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Sling Commons Log \u003c= 5.4.0 and Apache Sling API \u003c= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "important"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-117: Improper Output Neutralization for Logs"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-32549",
    "datePublished": "2022-06-22T14:25:10.000Z",
    "dateReserved": "2022-06-08T00:00:00.000Z",
    "dateUpdated": "2024-08-03T07:46:43.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-32549",
      "date": "2026-05-31",
      "epss": "0.02862",
      "percentile": "0.86502"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.25.0\", \"matchCriteriaId\": \"3DE53A5F-C5AF-4BC5-8E11-25974893ED3F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:sling_commons_log:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.4.0\", \"matchCriteriaId\": \"292B4F19-0D8F-4F97-918E-9A81CF040B6D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Sling Commons Log \u003c= 5.4.0 and Apache Sling API \u003c= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.\"}, {\"lang\": \"es\", \"value\": \"Apache Sling Commons Log versiones anteriores a 5.4.0 incluy\\u00e9ndola y Apache Sling API versiones anteriores a 2.25.0 incluy\\u00e9ndola, son vulnerables a una inyecci\\u00f3n de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro\"}]",
      "id": "CVE-2022-32549",
      "lastModified": "2024-11-21T07:06:36.523",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-06-22T15:15:08.407",
      "references": "[{\"url\": \"https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-117\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-116\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-32549\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-06-22T15:15:08.407\",\"lastModified\":\"2024-11-21T07:06:36.523\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Sling Commons Log \u003c= 5.4.0 and Apache Sling API \u003c= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.\"},{\"lang\":\"es\",\"value\":\"Apache Sling Commons Log versiones anteriores a 5.4.0 incluy\u00e9ndola y Apache Sling API versiones anteriores a 2.25.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-117\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.25.0\",\"matchCriteriaId\":\"3DE53A5F-C5AF-4BC5-8E11-25974893ED3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sling_commons_log:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.4.0\",\"matchCriteriaId\":\"292B4F19-0D8F-4F97-918E-9A81CF040B6D\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.