CVE-2024-21645

Name of the Vulnerable Software and Affected Versions pyload versions prior to 0.5.0b3.dev77

Description A log injection issue allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. This can be achieved by supplying a username containing a newline when attempting to sign in with faulty credentials, as the newline is not properly escaped and serves as the delimiter between log entries. Forged or corrupted log files can be used to cover an attacker's tracks or implicate another party in a malicious act.

Recommendations For versions prior to 0.5.0b3.dev77, update to version 0.5.0b3.dev77 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation. Avoid using the username parameter in the login endpoint until the issue is resolved.