PT-2022-21360 · Apache · Apache Sling+1

Alex Collignon

Published

2022-06-22

Updated

2022-06-29

CVE-2022-32549

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Sling Commons Log versions 5.4.0 and earlier Apache Sling API versions 2.25.0 and earlier

Description The issue allows an attacker to forge logs, potentially covering their tracks by injecting fake logs and corrupting log files. This is due to a log injection vulnerability.

Recommendations For Apache Sling Commons Log versions 5.4.0 and earlier, update to a version later than 5.4.0 to resolve the issue. For Apache Sling API versions 2.25.0 and earlier, update to a version later than 2.25.0 to resolve the issue. As a temporary workaround, consider restricting access to log files to minimize the risk of exploitation.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-117

Related Identifiers

CVE-2022-32549

GHSA-QMX3-M648-HR74

Affected Products

Apache Sling

Apache Sling Commons Log

PT-2022-21360 · Apache · Apache Sling+1

CVE-2022-32549

Weakness Enumeration

Related Identifiers

Affected Products

References · 5