CVE-2021-43410 - OpenCVE

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airavata Django Portal

Configuration 1 [-]

cpe:2.3:a:apache:airavata_django_portal:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-12-09T09:00:12

Updated: 2024-08-04T03:55:29.278Z

Reserved: 2021-11-06T00:00:00

Link: CVE-2021-43410

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-09T09:15:07.137

Modified: 2021-12-14T13:19:54.627

Link: CVE-2021-43410

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Airavata Django Portal", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "commit 3c5d8c7", "status": "affected", "version": "master branch", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Airavata would like to thank haby0 of Duxiaoman Financial Security Team for reporting this vulnerability."}], "descriptions": [{"lang": "en", "value": "Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170"}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-09T09:00:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31"}], "source": {"discovery": "UNKNOWN"}, "title": "airavata-django-portal allows CRLF log injection because of the lack of escaping in the log statements", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-43410", "STATE": "PUBLIC", "TITLE": "airavata-django-portal allows CRLF log injection because of the lack of escaping in the log statements"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Airavata Django Portal", "version": {"version_data": [{"version_affected": "<", "version_name": "master branch", "version_value": "commit 3c5d8c7"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Airavata would like to thank haby0 of Duxiaoman Financial Security Team for reporting this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-117: Improper Output Neutralization for Logs"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31", "refsource": "MISC", "url": "https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:55:29.278Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-43410", "datePublished": "2021-12-09T09:00:12", "dateReserved": "2021-11-06T00:00:00", "dateUpdated": "2024-08-04T03:55:29.278Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airavata_django_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "38CA2AAD-8EF4-40A5-B6BD-3D63CF5B3A22", "versionEndExcluding": "2021-12-06", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170"}, {"lang": "es", "value": "El portal Django de Apache Airavata permite una inyecci\u00f3n de registros CRLF debido a una falta de escape de las declaraciones de registro. En particular, algunos par\u00e1metros de peticiones HTTP se registran sin ser escapados previamente. Versiones afectadas: rama master versiones anteriores al commit 3c5d8c7 [1] de airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170"}], "id": "CVE-2021-43410", "lastModified": "2021-12-14T13:19:54.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-09T09:15:07.137", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-117"}], "source": "security@apache.org", "type": "Secondary"}]}